fatcousin
// artifact family

memory forensics

37 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.

tools
37
catalog slugs
37
processing
local · in browser

tools in this family

ordered as in the forensics catalog. every tool runs locally — no upload, no account.

  1. memory dump analyzerdrop a .dmp or .vmem · extract strings · identify patterns · find artifacts · runs locally
  2. process memory dump analyzerdrop a process memory dump · extract strings · urls · ips · credentials patterns · loaded modules · network connections · runs locally
  3. windows crash dump analyzerdrop a windows minidump · exception details · faulting module · stack trace · loaded modules · bug check analysis · runs locally
  4. process tree rebuilderdrop a memory dump · scan EPROCESS pool tags · reconstruct parent/child process tree · flag orphaned and suspicious chains · export CSV · runs locally
  5. memory pe extractordrop a memory dump · scan for PE headers · carve embedded executables · rebuild PE structure · download extracted files · runs locally
  6. credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  7. dll injection detectordrop a memory dump · find PE headers at unexpected offsets · detect RWX regions · mismatched module names · hollow process indicators · runs locally
  8. memory network connection mapperdrop a memory dump · scan for TCP/UDP socket structures · extract IPs · ports · process associations · flag suspicious connections · export CSV · runs locally
  9. heap spray detectordrop memory dump · NOP sleds · repeated 4KB blocks · shellcode prefixes · byte runs · density map · csv · runs locally
  10. memory entropy analyzermemory dump · shannon entropy per block · heatmap · high-entropy regions · hex dump · csv + png export · runs locally
  11. lsass dump artifact analyzerdrop sysmon or security evtx csv · detect lsass access and dump indicators · flag suspicious callers · minidump paths · runs locally
  12. dkom hidden process detectordrop memory dump strings or process list exports from multiple sources · compare eprocess pspcidtable and handle table views · surface hidden processes · dkom rootkit detection · runs locally
  13. kernel driver anomaly detectordrop loaded driver list exports or memory dump driver lists · flag drivers not on disk · unsigned drivers · drivers loaded from unusual paths · compare against known-good baselines · runs locally
  14. unbacked memory region detectordrop vad malfind text or csv · executable memory without file backing · mz in memory · rwx regions · process summary · csv export · runs locally
  15. PE header in-memory anomaly detectordrop malfind or procdump pe region · analyze pe header for in-memory anomalies · header stomping unpacked sections hollowing indicators · export csv · runs locally
  16. reflective DLL load memory indicator detectordrop ldrmodules malfind or raw memory region · detect reflective dll loading · module-less in-memory pe · reflectiveloader export and stubs · runs locally
  17. inline hook artifact detectordrop apihooks ssdt volatility output or memory region · detect jmp patches and inline api hooks · classify hook destinations · export csv · runs locally
  18. shellcode region entropy analyzerdrop memory dump pe or hex paste · windowed shannon entropy · high-entropy and shellcode candidate regions · pe section entropy · export csv · runs locally
  19. unpacked PE region identifierdrop procmemdump or memory dump · scan mz pe headers · filter known modules · packer fingerprint imports overlay · export csv · runs locally
  20. memory beacon pattern detectordrop memory dump or volatility strings · cobalt strike beacon strings and config markers · meterpreter empire heuristics · sleep jitter c2 extraction · runs locally
  21. in-memory malware configuration extractordrop process memory dump · xor decode json xml config blocks · c2 ip port campaign mutex extraction · multi-technique local scan · runs locally
  22. memory artifact timeline reconstructordrop volatility csv exports · merge process network registry file events · unified memory timeline · gap detection · csv export · runs locally
  23. file access to process correlatordrop sysmon event 11 file create · event 23 file delete · mft csv · evtx 4663 · link file creation and access events to the responsible process · build per-process file activity timeline · identify data staging by process · runs locally
  24. named pipe forensic artifact analyzerdrop sysmon event 17 18 csvs or handle exports · detect malicious named pipe usage · cobalt strike pipe patterns · common c2 framework pipe names · lateral movement via pipes · privilege escalation via pipe impersonation · runs locally
  25. mutex name forensic artifact analyzerdrop handle exports · memory dump strings · sysmon exports · extract mutex names · match against 500+ known malware family mutex signatures · identify malware family from mutex · flag unusual mutex patterns · runs locally
  26. memory heap object type identifierdrop memory dump strings or raw segment · scan heap for object type signatures · vtable · credential structures · dotnet java python objects · runs locally
  27. jit compiled code region extractordrop browser or jvm memory dump · identify jit regions by executable non-backed memory · v8 ryujit hotspot artifacts · bytecode hints · runs locally
  28. inter-process communication channel mapperdrop handle table exports or volatility handles output · map ipc channels · shared memory · named pipes · alpc ports · com topology · runs locally
  29. thread execution order forensic reconstructordrop volatility threads output or crash dump thread listings · reconstruct execution order · thread injection · stack frames · timeline · runs locally
  30. aslr base address forensic reconstructordrop crash dump or module list export · reconstruct aslr base addresses · pointer attribution · cross-dump correlation · rva section lookup · runs locally
  31. dll injection indicator analyzerdrop volatility dlllist or ldrmodules or malfind output · detect injected dlls and module anomalies · suspicious paths · cross-plugin correlation · runs locally
  32. process hollowing memory artifact analyzerdrop volatility malfind or cmdline or pstree output · detect process hollowing indicators · vad vs image mismatches · dkom hidden processes · runs locally
  33. vad region anomaly analyzerdrop volatility vadinfo or malfind output · rwx private regions · anonymous executable vad · suspicious file-backed mappings · runs locally
  34. thread injection artifact analyzerdrop volatility threads or dlllist or vadinfo output · thread start addresses outside known modules · apc and createremotethread artifacts · runs locally
  35. memory string timeline reconstructordrop multiple timestamped string extractions or timeline csv · new removed persistent strings · ioc temporal tracking · runs locally
  36. process memory string extractordrop raw memory dump or strings text · streaming ascii utf-16le extraction · urls ips credentials c2 iocs · csv export · runs locally
  37. heap spray pattern detectordrop raw memory dump · repeated 4kb block detection · nop sled inventory · entropy analysis · spray candidate csv · runs locally
ready