volatility3-mcp

0xOb5k-J/volatility3-mcp

3.3

If you are the rightful owner of volatility3-mcp and would like to certify it and/or have it hosted online, please leave a comment on the right or send an email to henry@mcphub.com.

The Volatility3 MCP Server integrates the Volatility3 memory forensics framework with LLM-based tools, providing a robust solution for memory analysis across multiple operating systems.

Tools
9
Resources
0
Prompts
0

Volatility3 MCP Server

A Model Context Protocol (MCP) server that integrates Volatility3 memory forensics framework with LLM-based tools.

Demo:

https://github.com/user-attachments/assets/f320bfbc-6737-4ce1-aefa-0d82213dd4dd

Tested On:

  • Windows 11 24h2
  • Python 3.12.0
  • VS Code
  • Windows mem profiles

Features

  • Goal-Oriented: First understands the goal and then proceeds
  • Multi-OS Support: Automatically detects and adapts to Windows, Linux, and Mac memory images
  • Intelligent Plugin Discovery: Dynamically discovers available plugins based on loaded image
  • Error Analysis: Automatic error analysis with solutions and alternatives
  • Batch Processing: Execute multiple plugins in sequence
  • Documentation Generation: Generate comprehensive analysis reports

Available Tools

ToolDescription
load_memory_imageLoad a memory image and auto-detect OS type (Always start here)
get_image_infoGet detailed information about the loaded memory image
list_available_pluginsList all available plugins for the current OS
build_plugin_commandBuild and validate Volatility3 commands
execute_pluginExecute a Volatility3 plugin with error handling
analyze_errorAnalyze errors and provide solutions
suggest_pluginsGet plugin suggestions based on analysis goal
batch_executeExecute multiple plugins in sequence
generate_documentationCreate a new documentation file that AI can populate with content
create_documentation_contentAI writes content to documentation file - full creative control
get_analysis_contextGet complete analysis context for AI documentation

Installation

Windows

git clone https://github.com/0xOb5k-J/volatility3-mcp

cd volatility3-mcp

python3 setup_all.py

Note: after executing setup_all.py download mcp_server.py from releases and place it in %USERPROFILE%\volatility-mcp-server\src folder (replace the original file with this)

Link to download: https://github.com/0xOb5k-J/volatility3-mcp/releases/download/mcp_server/mcp_server.py

Configuration

MCP Configuration for github co-pilot VS-code extension:

{
  "servers": {
    "volatility3-mcp": {
      "command": "python",
      "args": [
        "C:\\Users\\<USERNAME>\\volatility-mcp-server\\launcher.py"
      ],
      "type": "stdio",
      "env": {
        "PYTHONPATH": "C:\\Users\\<USERNAME>\\volatility-mcp-server\\volatility3"
      }
    }
  },
  "inputs": []
}

MCP Configuration for Claude Desktop:

{
  "mcpServers": {
    "volatility3-mcp": {
      "command": "python",
      "args": [
        "C:\\Users\\<USERNAME>\\volatility-mcp-server\\launcher.py"
      ],
      "env": {
        "PYTHONPATH": "C:\\Users\\<USERNAME>\\volatility-mcp-server\\volatility3"
      }
    }
  }
}

Testing

Test the Server

Windows:

cd %USERPROFILE%\volatility-mcp-server
python launcher.py

Using with GitHub Copilot (VSCode) as MCP Client

  1. Copy the config to your MCP client configuration
  2. Start the mcp-server from the config file os VSCode itself
  3. The Volatility3 tools will be available in GitHub Copilot

Using with Claude desktop as MCP Client

  1. Copy the config to your MCP client configuration
  2. Restart claude desktop
  3. The Volatility3 tools will be available in GitHub Copilot

Directory Structure

volatility-mcp-server/
ā”œā”€ā”€ volatility3/          # Volatility3 framework
ā”œā”€ā”€ src/
ā”‚   ā””ā”€ā”€ mcp_server.py     # MCP server implementation
ā”œā”€ā”€ config/
ā”‚   ā”œā”€ā”€ mcp_linux.json    # Linux configuration
ā”‚   ā””ā”€ā”€ mcp_windows.json  # Windows configuration
ā”œā”€ā”€ tests/
ā”‚   ā””ā”€ā”€ test_server.py    # Test suite
ā”œā”€ā”€ logs/                 # Server logs
ā”œā”€ā”€ memory_images/        # Memory dumps location
ā”œā”€ā”€ reports/              # Generated reports
ā”œā”€ā”€ .vscode/
ā”‚   ā””ā”€ā”€ settings.json     # VSCode configuration
ā”œā”€ā”€ venv/                 # Python virtual environment
ā”œā”€ā”€ launch_server.sh      # Linux launcher
ā””ā”€ā”€ launcher.py           # Cross-platform launcher

Troubleshooting

Server won't start

  • Check Python version: python3 --version (needs 3.8+)
  • Verify virtual environment exists
  • Check logs in logs/mcp_server.log

Plugin execution fails

  • Use analyze_error() tool for automatic diagnosis
  • Check suggest_plugins() for alternatives
  • Verify OS compatibility

License

[MIT License]