Volatility3 MCP server

Volatility3 MCP Server connects MCP clients like Claude Desktop with Volatility3, the memory forensics framework. This integration enables users and LLMs to analyze memory dumps, detect malware, and perform sophisticated memory forensics tasks through a simple, conversational interface without requiring specialized knowledge.

Installation

Prerequisites

First, clone the repository and set up the environment:

python -m venv environ
source environ/bin/activate
pip install -r requirements.txt

Usage Options

You can use the Volatility3 MCP Server in two different ways:

Option 1: With Claude Desktop

1. Configure Claude Desktop by editing the configuration file:
   • Navigate to Claude → Settings → Developer → Edit Config → claude_desktop_config.json
   • Add the following configuration:

{
    "mcpServers": {
    "volatility3": {
        "command": "absolute/path/to/virtual/environment/bin/python3",
        "args": [
        "absolute/path/to/bridge_mcp_volatility.py"
        ]
    }
    }
}

2. Restart Claude Desktop to apply the changes
3. Begin analyzing memory dumps through the Claude interface

Option 2: With Cursor (SSE Server)

1. Start the SSE server:

python3 start_sse_server.py

2. Configure Cursor to use the SSE server:

   • Open Cursor settings
   • Navigate to Features → MCP Servers
   • Add a new MCP server with the URL http://127.0.0.1:8080/sse

3. Use the Cursor Composer in agent mode to begin analyzing memory dumps

Available Tools

The Volatility3 MCP Server provides access to several memory forensics tools:

Core Functions

• initialize_memory_file: Set up a memory dump file for analysis
• detect_os: Identify the operating system of the memory dump
• list_plugins: Display all available Volatility3 plugins
• get_plugin_info: Get detailed information about a specific plugin
• run_plugin: Execute any Volatility3 plugin with custom arguments

Analysis Tools

• get_processes: List all running processes in the memory dump
• get_network_connections: View all network connections from the system
• list_process_open_handles: Examine files and resources accessed by a process
• scan_with_yara: Scan memory for malicious patterns using YARA rules

Features

• Analyze Windows and Linux memory dumps using various plugins
• Inspect running processes, examine their details, and identify suspicious activity
• Examine network connections to detect command and control servers
• Cross-platform support for Windows and Linux memory dumps
• Scan memory with YARA rules to identify known malware signatures

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.