MemDiver
Interactive platform for identifying and analyzing data structures in memory dumps.
Note
MemDiver is the research artifact accompanying a submission to the IMF conference (IT Security Incident Management & IT Forensics). The accompanying study analyzed ~30K memory dumps across 13 TLS libraries (TLS 1.2 and 1.3) to answer a concrete forensic question: which TLS secrets survive in process memory, and for how long?
What it does
MemDiver is a browser-based workbench for exploring binary memory dumps. A FastAPI backend drives a React IDA-Pro-style dockable workspace; an optional Marimo sandbox hosts deeper research workflows; an MCP server exposes the same analysis engine to AI assistants. It combines known-key search, entropy scanning, change-point detection, structural parsing, and cross-run differential analysis to locate and classify data structures in memory.
Get started
Install MemDiver and run the web UI, CLI, MCP server, or experiment harness in under five minutes.
Tour the workspace, learn the CLI, wire the MCP server into Claude Code, and reproduce the hero screenshots.
Walk through the ten subsystems: core, engine, harvester, msl, architect, algorithms, api, mcp_server, ui, frontend.
Reference pages for the eight detection algorithms and nine visualization views shipped today.
At a glance
Surface |
Count |
Location |
|---|---|---|
Detection algorithms |
8 |
|
CLI subcommands |
20 |
|
FastAPI routers |
12 + WebSocket |
|
MCP tools |
15 |
|
Exporters |
YARA · JSON · Volatility3 |
|
Dump backends |
|
|
Visualization views |
4 SPA + 5 research-mode (Marimo) |
|
Under the hood: DuckDB ProjectDB, .memdiver SessionStore, Welford incremental consensus, Aho-Corasick multi-pattern scan, Kaitai Struct parsing, ASLR-aware region alignment, auto-discovered KDF plugins, BYO decryption oracles, first-class Volatility3 plugin emission.