Your AI Assistant in Memory Forensics

Overview

Volatility MCP seamlessly integrates Volatility 3's powerful memory analysis with FastAPI and the Model Context Protocol (MCP). Experience memory forensics without barriers as plugins like pslist and netscan become accessible through clean REST APIs, connecting memory artifacts directly to AI assistants and web applications

Features

• Volatility 3 Integration: Leverages the Volatility 3 framework for memory image analysis.
• FastAPI Backend: Provides RESTful APIs to interact with Volatility plugins.
• Web Front End Support (future feature): Designed to connect with a web-based front end for interactive analysis.
• Model Context Protocol (MCP): Enables standardized communication with MCP clients like Claude Desktop.
• Plugin Support: Supports various Volatility plugins, including pslist for process listing and netscan for network connection analysis.

Architecture

The project architecture consists of the following components:

• MCP Client: MCP client like Claude Desktop that interacts with the FastAPI backend.
• FastAPI Server: A Python-based server that exposes Volatility plugins as API endpoints.
• Volatility 3: The memory forensics framework performing the analysis.

This architecture allows users to analyze memory images through MCP clients like Claude Desktop. Users can use natural language prompts to perform memory forensics analysis such as show me the list of the processes in memory image x, or show me all the external connections made

Getting Started

Prerequisites

• Python 3.7+ installed on your system
• Volatility 3 binary installed (see Volatility 3 Installation Guide) and added to your env path called VOLATILITY_BIN

Installation

1. Clone the repository:

   git clone <repository_url>
   cd <repository_directory>
   

2. Install the required Python dependencies:

   pip install -r requirements.txt
   

3. Start the FastAPI server to expose Volatility 3 APIs:

   uvicorn volatility_fastapi_server:app 
   

4. Install Claude Desktop (see Claude Desktop

5. To configure Claude Desktop as a volatility MCP client, navigate to Claude → Settings → Developer → Edit Config, locate the claude_desktop_config.json file, and insert the following configuration details

6. Please note that the -i option in the config.json file specifies the directory path of your memory image file.

       {
        "mcpServers": {
          "vol": {
            "command": "python",
            "args": [
              "/ABSOLUTE_PATH_TO_MCP-SERVER/vol_mcp_server.py", "-i",     
              "/ABSOLUTE_PATH_TO_MEMORY_IMAGE/<memory_image>"
            ]
          }
        }
    }
   

Alternatively, update this file directly:

/Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json

Usage

1. Start the FastAPI server as described above.
2. Connect an MCP client (e.g., Claude Desktop) to the FastAPI server.
3. Start the prompt by asking questions regarding the memory image in scope, such as showing me the running processes, creating a tree relationship graph for process x, or showing me all external RFC1918 connections.

Future Features and Enhancements

• Native Volatility Python Integration: Incorpora

... View full README on GitHub