ServersGaffx/volatility-mcp

Gaffx/volatility-mcp

Created on 2025-04-10

Open Source Visit Server

This repo hosts an MCP server for volatility3.x

Information

Your AI Assistant in Memory Forensics

Overview

Volatility MCP seamlessly integrates Volatility 3's powerful memory analysis with FastAPI and the Model Context Protocol (MCP). Experience memory forensics without barriers as plugins like pslist and netscan become accessible through clean REST APIs, connecting memory artifacts directly to AI assistants and web applications

Features

Volatility 3 Integration: Leverages the Volatility 3 framework for memory image analysis.
FastAPI Backend: Provides RESTful APIs to interact with Volatility plugins.
Web Front End Support (future feature): Designed to connect with a web-based front end for interactive analysis.
Model Context Protocol (MCP): Enables standardized communication with MCP clients like Claude Desktop.
Plugin Support: Supports various Volatility plugins, including pslist for process listing and netscan for network connection analysis.

Architecture

The project architecture consists of the following components:

MCP Client: MCP client like Claude Desktop that interacts with the FastAPI backend.
FastAPI Server: A Python-based server that exposes Volatility plugins as API endpoints.
Volatility 3: The memory forensics framework performing the analysis.

This architecture allows users to analyze memory images through MCP clients like Claude Desktop. Users can use natural language prompts to perform memory forensics analysis such as show me the list of the processes in memory image x, or show me all the external connections made

Getting Started

Prerequisites

Python 3.7+ installed on your system
Volatility 3 binary installed (see Volatility 3 Installation Guide) and added to your env path called VOLATILITY_BIN

Installation

Clone the repository:

git clone <repository_url>
cd <repository_directory>

Install the required Python dependencies:
```
pip install -r requirements.txt
```
Start the FastAPI server to expose Volatility 3 APIs:
```
uvicorn volatility_fastapi_server:app 
```
Install Claude Desktop (see Claude Desktop
To configure Claude Desktop as a volatility MCP client, navigate to Claude → Settings → Developer → Edit Config, locate the claude_desktop_config.json file, and insert the following configuration details

Please note that the -i option in the config.json file specifies the directory path of your memory image file.

    {
     "mcpServers": {
       "vol": {
         "command": "python",
         "args": [
           "/ABSOLUTE_PATH_TO_MCP-SERVER/vol_mcp_server.py", "-i",     
           "/ABSOLUTE_PATH_TO_MEMORY_IMAGE/<memory_image>"
         ]
       }
     }
 }

Alternatively, update this file directly:

/Users/YOUR_USER/Library/Application Support/Claude/claude_desktop_config.json

Usage

Start the FastAPI server as described above.
Connect an MCP client (e.g., Claude Desktop) to the FastAPI server.
Start the prompt by asking questions regarding the memory image in scope, such as showing me the running processes, creating a tree relationship graph for process x, or showing me all external RFC1918 connections.

Future Features and Enhancements

Native Volatility Python Integration: Incorporate Volatility Python SDK directly in the code base as opposed to subprocess volatility binary
Yara Integration: Implement functionality to dump a process from memory and scan it with Yara rules for malware analysis.
Multi-Image Analysis: Enable the analysis of multiple memory images simultaneously to correlate events and identify patterns across different systems.
Adding more Volatility Plugins: add more volatility plugins to expand the scope of memory analysis
GUI Enhancements: Develop a user-friendly web interface for interactive memory analysis and visualization.
Automated Report Generation: Automate the generation of detailed reports summarizing the findings of memory analysis.
Advanced Threat Detection: Incorporate advanced techniques for detecting sophisticated threats and anomalies in memory.

Contributing

Contributions are welcome! Please follow these steps to contribute:

Fork this repository.
Create a new branch (git checkout -b feature/my-feature).
Commit your changes (git commit -m 'Add some feature').
Push to your branch (git push origin feature/my-feature).
Open a pull request.

Recommended MCP Servers

toolhive

Run and manage MCP servers easily and securely

A MCP Server for APK Tool (Part of Android Reverse Engineering MCP Suites)

attestable-mcp-server

Verify that any MCP server is running the intended and untampered code via hardware attestation.

Plugin for JADX to integrate MCP server

onepassword-mcp-server

An MCP server that enables secure credential retrieval from 1Password to be used by Agentic AI

An MCP Server for pyATS (experimental)

MCP server for AWS Cloud Development Kit (CDK) best practices, infrastructure as code patterns, and security compliance with CDK Nag.

mcp-cost-analysis-mcp-server

MCP server for analyzing AWS service costs and generating cost reports.

chaitin-ip-intelligence-search-tool

chaitin ip intelligence search tool for mcp

BloodHound-MCP-AI is integration that connects BloodHound with AI through Model Context Protocol, allowing security professionals to analyze Active Directory attack paths using natural language instead of complex Cypher queries.