Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: modules/memory/all-memory.toml

Source

  • Original path: profiles/modules/memory/all-memory.toml

Profile (TOML)

# All Memory Compound Module
# Combines all memory-related artifact modules

[module]
name = "All Memory Artifacts"
description = "Comprehensive memory artifact collection (dumps, hibernation, swap)"
category = "memory"
platform = ["windows", "linux", "macos"]
priority = "critical"

# Include individual memory modules
includes = [
  "dumps.toml",
  "hibernation.toml"
]

# Additional memory-related patterns
[[patterns]]
  name = "Virtual Memory File"
  pattern = "\\.(?:vmem|vmsn|vmss)$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Hyper-V Memory"
  pattern = "\\.vsv$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "QEMU Memory"
  pattern = "\\.(?:qcow2?|raw)$"
  case-insensitive = true
  type = "regex"

# Signatures for memory artifacts
[[signatures]]
  name = "Multiple Memory Artifacts"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as memory_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Memory%' OR pattern_name LIKE '%Dump%' OR pattern_name LIKE '%Hibernation%' OR pattern_name LIKE '%Swap%' OR pattern_name LIKE '%Page%' GROUP BY sha256 HAVING memory_artifacts > 2"