A browser-based memory forensics triage dashboard built with Next.js and bootstrapped with v0.
This tool takes memory image file and exports as csv input and automatically runs cross-file triage analysis to surface suspicious indicators across all major memory artifacts. It replaces the manual, plugin-by-plugin workflow with a single interactive dashboard.
| Module | What It Detects |
|---|---|
| Malfind | RWX memory regions, MZ headers, shellcode injection |
| Hidden Processes | PIDs in psscan but absent from pslist (DKOM rootkit) |
| Parent-Child Anomalies | Processes with unexpected parent processes |
| SSDT Hooks | Kernel-level hooks by non-standard modules |
| Network Connections | Suspicious ESTABLISHED connections from unusual processes |
| Cmdline Analysis | Encoded PowerShell, LOLBins, fileless execution, evasion flags |
| DLL Injection | DLLs loaded from temp/appdata paths or with no path (reflective) |
| Handle Analysis | Full-access handles to lsass.exe (credential dumping signals) |
| VAD Regions | Private anonymous executable memory with no backing file |
| Thread Inspection | Threads starting from suspicious paths |
| Driver Scan | Drivers with missing Service Keys |
| File Scan | Executables in temp/public/recycle paths |
Place your image file (.mem/.raw) that exports CSV in the data folder. Files are auto-discovered by name pattern:
windows_pslist*.csv
windows_psscan*.csv
windows_pstree*.csv
windows_cmdline*.csv
windows_malfind*.csv
windows_ssdt*.csv
windows_netscan*.csv
windows_dlllist*.csv
windows_handles*.csv
windows_threads*.csv
windows_filescan*.csv
windows_driverscan*.csv
windows_registry_hivelist*.csv
windows_vadinfo*.csv
windows_info*.csv
Under the hood going on commands:
vol -f memory.dmp -r csv windows.pslist > windows_pslist.csv
vol -f memory.dmp -r csv windows.psscan > windows_psscan.csv
vol -f memory.dmp -r csv windows.pstree > windows_pstree.csv
vol -f memory.dmp -r csv windows.malfind > windows_malfind.csv
vol -f memory.dmp -r csv windows.netscan > windows_netscan.csv
vol -f memory.dmp -r csv windows.cmdline > windows_cmdline.csv
vol -f memory.dmp -r csv windows.dlllist > windows_dlllist.csv
vol -f memory.dmp -r csv windows.handles > windows_handles.csv
vol -f memory.dmp -r csv windows.threads > windows_threads.csv
vol -f memory.dmp -r csv windows.filescan > windows_filescan.csv
vol -f memory.dmp -r csv windows.driverscan > windows_driverscan.csv
vol -f memory.dmp -r csv windows.ssdt > windows_ssdt.csv
vol -f memory.dmp -r csv windows.vadinfo > windows_vadinfo.csv
vol -f memory.dmp windows.-r csv registry.hivelist > windows_registry_hivelist.csv
vol -f memory.dmp -r csv windows.info > windows_info.csv| Tab | Contents |
|---|---|
| Overview | Severity summary, findings charts, all-findings table with filter/sort |
| Processes | Hidden process diff, visual process tree, abnormal parent-child table |
| Network | External connection map, suspicious process connections, full netscan |
| Memory | Malfind RWX regions, VAD anonymous executable regions |
| Cmdline | Rule-tagged command line analysis with pattern matching |
| DLLs & Threads | Suspicious DLL paths, injected thread detection |
| Handles | lsass access detection, handle type breakdown |
| Drivers & Registry | Unsigned/keyless drivers, in-memory-only registry hives |
| Files | Filesystem scan with suspicious file filter |
Install dependencies:
npm install
# or
yarn install
# or
pnpm installRun the development server:
npm run dev
# or
yarn dev
# or
pnpm devOpen http://localhost:3000 upload image file then wait and navigate to /forensics.
Furthermore you must visit server that need in order to run the tool, A standalone CLI version (server.py & memory_triage.py) is also included for terminal-based analysis:
Checkout here for installing vol as cmdline
git clone https://github.com/variablevar/bug-free-happiness.git
cd bug-free-happiness
# optional
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python server.pyOutputs at memory_triage.py:
triage_report.csv— all findings ranked by severityfindings_by_severity.pngfindings_by_category.pngtop_pids.png
- Next.js 14 — App Router
- Tailwind CSS — Styling
- Recharts — Charts
- PapaParse — CSV parsing
- v0 — UI generation
This repository is linked to a v0 project. Start new chats to make changes — v0 will push commits directly to this repo. Every merge to main deploys automatically.
