Forensics Automation

Gemini-Powered Volatility Analyzer

An AI-assisted triage tool combining standard memory forensics with LLM-based anomaly interpretation to speed up Incident Response.

Python
Volatility Framework
Google Gemini API
LLM Integration

The Challenge

Memory forensics is a critical part of incident response, but analyzing memory dumps (RAM) using tools like Volatility requires significant manual effort. Analysts often have to sift through thousands of lines of output to find hidden malware, injected code, or suspicious parent-child process relationships. In high-pressure SOC environments, this manual analysis creates a bottleneck.

The Solution

I developed a Python-based automation wrapper that integrates the Volatility 3 framework with Google’s Gemini Pro Large Language Model (LLM).

Automated Extraction: The tool automatically runs key plugins (pslist, netscan, malfind) to extract raw artifacts.
LLM Analysis: The raw output is fed into Gemini with a specific system prompt designed to identify “anomalies” rather than just listing data.
Risk Scoring: The tool assigns a risk score to processes based on heuristics (e.g., svchost.exe running from a temp folder).

            def analyze_process_list(dump_path):

              raw_data = volatility.run_plugin(‘windows.pslist’, dump_path)

              anomalies = gemini_client.analyze(raw_data, context=”Find hidden processes”)

              return report_generator(anomalies)

The Impact

This tool reduced the initial triage time for a 16GB memory dump from roughly 45 minutes of manual review to under 5 minutes of automated analysis. It successfully identified simulated Cobalt Strike beacons during testing that were attempting to hide using process hollow techniques.

View Source Code on GitHub