{"id":33193652,"url":"https://github.com/dhondta/appmemdumper","last_synced_at":"2026-01-17T12:00:48.431Z","repository":{"id":47134969,"uuid":"93773338","full_name":"dhondta/AppmemDumper","owner":"dhondta","description":"Forensics triage tool relying on Volatility and Foremost","archived":true,"fork":false,"pushed_at":"2023-12-03T19:43:19.000Z","size":103,"stargazers_count":24,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2024-09-26T10:19:07.889Z","etag":null,"topics":["automation","ctf-tools","foremost","forensics","security-tools","tinyscript","tool","triage","volatility"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dhondta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-06-08T17:06:49.000Z","updated_at":"2023-12-03T19:43:46.000Z","dependencies_parsed_at":"2024-01-12T03:36:21.656Z","dependency_job_id":"a6ab1fdd-2eea-4ded-80d4-f34378ea5be2","html_url":"https://github.com/dhondta/AppmemDumper","commit_stats":{"total_commits":82,"total_committers":1,"mean_commits":82.0,"dds":0.0,"last_synced_commit":"f77a80349f0682fed797c5dfe594a65ed9322026"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/dhondta/AppmemDumper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhondta%2FAppmemDumper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhondta%2FAppmemDumper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhondta%2FAppmemDumper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhondta%2FAppmemDumper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dhondta","download_url":"https://codeload.github.com/dhondta/AppmemDumper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dhondta%2FAppmemDumper/sbom","scorecard":{"id":340458,"data":{"date":"2025-08-11","repo":{"name":"github.com/dhondta/AppmemDumper","commit":"9d6ddb720a05ad138c33d1fbc91863df590f25eb"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"project is archived","details":["Warn: Repository is archived."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}}]},"last_synced_at":"2025-08-18T05:40:57.125Z","repository_id":47134969,"created_at":"2025-08-18T05:40:57.125Z","updated_at":"2025-08-18T05:40:57.125Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28508464,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T11:50:55.898Z","status":"ssl_error","status_checked_at":"2026-01-17T11:50:55.569Z","response_time":85,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","ctf-tools","foremost","forensics","security-tools","tinyscript","tool","triage","volatility"],"created_at":"2025-11-16T07:00:31.294Z","updated_at":"2026-01-17T12:00:48.407Z","avatar_url":"https://github.com/dhondta.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"4d2a33083a894d6e6ef01b360929f30a\"\u003e\u003c/a\u003eVolatility"],"sub_categories":[],"readme":"[![PyPi](https://img.shields.io/pypi/v/appmemdumper.svg)](https://pypi.python.org/pypi/appmemdumper/)\n[![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.804958.svg)](https://doi.org/10.5281/zenodo.804958)\n[![Python Versions](https://img.shields.io/pypi/pyversions/appmemdumper.svg)](https://pypi.python.org/pypi/appmemdumper/)\n[![Known Vulnerabilities](https://snyk.io/test/github/dhondta/AppmemDumper/badge.svg?targetFile=requirements.txt)](https://snyk.io/test/github/dhondta/AppmemDumper?targetFile=requirements.txt)\n[![License](https://img.shields.io/pypi/l/appmemdumper.svg)](https://pypi.python.org/pypi/appmemdumper/)\n\n\n## Introduction\n\nThis tool automates the research of some artifacts for forensics purpose in memory dumps based upon [Volatility](https://github.com/volatilityfoundation/volatility/) for a series of common Windows applications. It is aimed to facilitate triage while addressing multiple forensics images.\n\nIt can also open multiple archive formats. In case of an archive, the tool will extract all its files to a temporary directory and then try to open each file as a memory dump (except files named `README` or `README.md`).\n\n\n## System Requirements\n\nThis framework was tested on an Ubuntu 18.04 with Python 2.7. It relies on Foremost and Volatility\n\n```sh\n$ sudo apt-get install foremost\n$ git clone https://github.com/volatilityfoundation/volatility /tmp/vol-setup\n$ cd /tmp/vol-setup \u0026\u0026 sudo python setup.py install\n```\n\n## Setup\n\n```sh\n$ pip install appmemdumper\n```\n\n\u003e **Behind a proxy ?**\n\u003e \n\u003e Do not forget to add option `--proxy=http://[user]:[pwd]@[host]:[port]` to your pip command.\n\n\n## Quick Start\n\n1. Help\n\n ```sh\n$ app-mem-dumper --help\nAppMemDumper 2.4.3\nAuthor   : Alexandre D'Hondt\nCopyright: © 2020 A. D'Hondt\nLicense  : GNU Affero General Public License v3.0\n\nThis tool automates the research of some artifacts for forensics purpose in memory dumps based upon Volatility for a\n series of common Windows applications.\n\nIt can also open multiple archive formats (it uses pyunpack). In case of an archive, the tool will extract all its files\n to a temporary directory and then try to open each file as a memory dump.\n\nusage: ./app-mem-dumper [-a APPS] [-s SYST] [-f] [-p PLUGINS]\n                        [--profile PROFILE] [-d DUMP_DIR] [-t TEMP_DIR] [-u]\n                        [-h] [--help] [-v]\n                        dump\n\npositional arguments:\n  dump  memory dump file path\n\n\napplication/system dumpers:\n  -a APPS  comma-separated list of integers designating applications to be parsed\n            Currently supported: \n\n             [0] AdobeReader             [8] Notepad\n             [1] Chrome                  [9] OpenOffice\n             [2] Firefox                 [10] PDFLite\n             [3] FoxitReader             [11] SumatraPDF\n             [4] InternetExplorer        [12] Thunderbird\n             [5] KeePass                 [13] TrueCrypt\n             [6] MSPaint                 [14] Wordpad\n             [7] MediaPlayerClassic    \n            (default: all)\n  -s SYST  comma-separated list of integers designating system items to be parsed\n            Currently supported: \n\n             [0] Autoruns                [9] Malfind\n             [1] Clipboard               [10] Mimikatz\n             [2] CommandLines            [11] NetworkConnections\n             [3] CriticalProcessesInfo   [12] ProcessesInfo\n             [4] Devices                 [13] Registry\n             [5] DumpInfo                [14] Timeline\n             [6] FilesList               [15] UserActivities\n             [7] Kernel                  [16] UserHashes\n             [8] LsaSecrets            \n            (default: none)\n\nvolatility options:\n  -f, --force           force profile search, do not use cached profile (default: False)\n  -p PLUGINS, --plugins-dir PLUGINS\n                        path to custom plugins (default: None)\n  --profile PROFILE     force Volatility profile (default: None)\n                         NB: has the precedence on -f/--force\n\noutput options:\n  -d DUMP_DIR, --dump-dir DUMP_DIR\n                        dump directory (default: files)\n  -t TEMP_DIR, --temp-dir TEMP_DIR\n                        temporary directory for decompressed images (default: .temp)\n  -u, --update          update previous dump directories (default: False)\n\nextra arguments:\n  -h             show usage message and exit\n  --help         show this help message and exit\n  -v, --verbose  verbose mode (default: False)\n\nUsage examples:\n  ./app-mem-dumper memory.dmp\n  ./app-mem-dumper my-dumps.tar.gz\n  ./app-mem-dumper dumps.zip -a none -s all\n  ./app-mem-dumper dump.raw -a 1,2,4 -f\n  ./app-mem-dumper dump.mem -a 0,3,10,11 -s 0\n  ./app-mem-dumper dump.raw -v --profile Win7SP1x86\n\n ```\n \n2. Example of output\n\n ```sh\n$ app-mem-dumper memory.dump -v -p plugins\n[appmemdumper] XX:XX:XX [DEBUG] Attempting to decompress 'memory.dump'...\n[appmemdumper] XX:XX:XX [DEBUG] Not an archive, continuing...\n[appmemdumper] XX:XX:XX [DEBUG] Setting output directory to 'files/memory.dump'...\n[appmemdumper] XX:XX:XX [INFO] Opening dump file 'memory.dump'...\n[appmemdumper] XX:XX:XX [INFO] Getting profile...\n[appmemdumper] XX:XX:XX [INFO] Getting processes...\n[appmemdumper] XX:XX:XX [DEBUG] \u003e Executing command 'pslist'...\n[appmemdumper] XX:XX:XX [DEBUG] Found       : mspaint.exe\n[appmemdumper] XX:XX:XX [DEBUG] Not handled : audiodg.exe, csrss.exe, dllhost.exe, [...]\n[appmemdumper] XX:XX:XX [DEBUG] Profile: Win7SP0x86\n[appmemdumper] XX:XX:XX [INFO] Processing dumper 'dumpinfo'...\n[appmemdumper] XX:XX:XX [INFO] Processing dumper 'mspaint'...\n[appmemdumper] XX:XX:XX [DEBUG] Dumping for PID XXXX\n[appmemdumper] XX:XX:XX [DEBUG] \u003e Calling command 'memdump'...\n[appmemdumper] XX:XX:XX [DEBUG] \u003e\u003e volatility --plugins=/path/to/plugins --file=[...]\n[appmemdumper] XX:XX:XX [INFO] \u003e /path/to/files/memory.dump/mspaint-2640-memdump.data\n[appmemdumper] XX:XX:XX [WARNING] \nThe following applies to collected objects of:\n- mspaint\n\nRaw data (.data files) requires manual handling ;\nFollow this procedure:\n1. Open the collected resources with Gimp\n2. Set the width and height to the expected screen resolution\n3. Set another color palette than 'RVB'\nRestart this procedure by setting other parameters for width|height|palette.\n\n ```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhondta%2Fappmemdumper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdhondta%2Fappmemdumper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdhondta%2Fappmemdumper/lists"}