MemDiver Logo

Getting started

  • Quick start
    • Install
      • Web UI quickstart
        • What you see
        • Dataset layout expected by the wizard
        • API docs
      • CLI quickstart
        • Complete subcommand list
      • MCP server quickstart
        • Stdio (default — recommended for Claude Desktop / Claude Code)
        • Server-Sent Events transport
        • Claude Desktop / Claude Code configuration
        • Tool catalogue
        • Security notes
      • Experiment quickstart
        • Backends
        • First experiment
        • Layout produced

User guide

  • Web UI tour
    • Session landing
    • Wizard — select data
    • Wizard — analysis algorithms
    • Workspace — default layout
    • Hex viewer with structure overlay
    • Entropy profile
    • Consensus view
    • Pipeline — oracle stage
    • Pipeline — run dashboard
    • Pipeline — results
    • Theme triptych
    • Keyboard shortcuts
  • CLI reference
    • Positional Arguments
    • Sub-commands
      • ui
        • Positional Arguments
      • analyze
        • Positional Arguments
        • Named Arguments
      • scan
        • Named Arguments
      • mcp
        • Named Arguments
      • batch
        • Named Arguments
      • web
        • Named Arguments
      • app
      • consensus
        • Positional Arguments
        • Named Arguments
      • consensus-begin
        • Named Arguments
      • consensus-add
        • Positional Arguments
        • Named Arguments
      • consensus-finalize
        • Named Arguments
      • search-reduce
        • Named Arguments
      • brute-force
        • Named Arguments
      • n-sweep
        • Named Arguments
      • emit-plugin
        • Named Arguments
      • export
        • Positional Arguments
        • Named Arguments
      • import
        • Positional Arguments
        • Named Arguments
      • import-dir
        • Positional Arguments
        • Named Arguments
      • verify
        • Positional Arguments
        • Named Arguments
      • experiment
        • Named Arguments
  • MCP tool reference
    • Dataset inspection
    • Analysis
    • Dump inspection
    • Format conversion
    • Pipeline stages

Architecture

  • Architecture
    • core/
    • engine/
      • Pipelines
      • Consensus
      • Brute force & sweep
      • Oracle & verification
      • Exports
      • Persistence
      • Concurrency
    • harvester/
    • msl/
    • architect/
    • algorithms/
      • Interface
      • Discovery
    • api/
      • Routers
      • Progress bus
      • Persistence
      • Middleware
      • OpenAPI
    • mcp_server/
    • ui/
      • When to prefer Marimo
      • When to prefer the React SPA
    • frontend/
      • Stack
      • Top-level views
      • Workspace layout
      • Build
      • State stores

Reference

  • Algorithms
    • Contracts
      • exact_match
        • Inputs
        • Output
        • When to use
      • entropy_scan
        • Parameters (read from context.extra)
        • Output
      • change_point
        • Parameters (read from context.extra)
        • Output
      • differential
        • Parameters (read from context.extra)
        • Output
      • constraint_validator
        • Parameters (read from context.extra)
        • Output
      • user_regex
        • Parameters (read from context.extra)
        • When to use
      • pattern_match
        • JSON pattern schema
      • structure_scan
        • When to use
        • Output
        • Note
  • Visualization views
    • Hex viewer
      • Color classifications
      • Overlays
    • Entropy profile
    • Consensus view
    • Pattern Architect
      • Workflow
    • Key-presence heatmap
    • Cross-run variance map
    • Phase lifecycle
    • Cross-library comparison
    • Differential diff
  • Memory Slice (.msl) v1.1.0
    • Design goals
    • Constants
    • File header (64 bytes)
    • Block header (80 bytes)
    • Block type registry (spec Table 9)
  • Dataset layout
    • Filename regexes
    • Phase normalization
  • Oracle interface
    • Two accepted shapes
      • Shape 1 — stateless function
      • Shape 2 — stateful factory
    • Contract notes
    • Ready-made templates
  • Oracle Examples
    • generic_aes_gcm.py — stateless AES-GCM
    • gocryptfs.py — stateful factory, HKDF-SHA256 + per-block AEAD
    • tls13_stub.py — TLS 1.3 traffic-secret verification scaffold
  • Python API reference
    • algorithms.base
      • AnalysisContext
        • AnalysisContext.library
        • AnalysisContext.protocol_version
        • AnalysisContext.phase
        • AnalysisContext.secrets
        • AnalysisContext.extra
        • AnalysisContext.tls_version
        • AnalysisContext.__init__()
      • Match
        • Match.offset
        • Match.length
        • Match.confidence
        • Match.label
        • Match.data
        • Match.metadata
        • Match.__init__()
      • AlgorithmResult
        • AlgorithmResult.algorithm_name
        • AlgorithmResult.confidence
        • AlgorithmResult.matches
        • AlgorithmResult.metadata
        • AlgorithmResult.__init__()
      • BaseAlgorithm
        • BaseAlgorithm.name
        • BaseAlgorithm.description
        • BaseAlgorithm.mode
        • BaseAlgorithm.run()
      • AlgorithmRegistry
        • AlgorithmRegistry.__init__()
        • AlgorithmRegistry.discover()
        • AlgorithmRegistry.get()
        • AlgorithmRegistry.list_all()
        • AlgorithmRegistry.list_by_mode()
        • AlgorithmRegistry.names
      • get_registry()
    • core.models
      • deprecated_kwarg()
      • CryptoSecret
        • CryptoSecret.secret_type
        • CryptoSecret.identifier
        • CryptoSecret.secret_value
        • CryptoSecret.protocol
        • CryptoSecret.client_random
        • CryptoSecret.__init__()
      • TLSSecret
      • KeyOccurrence
        • KeyOccurrence.offset
        • KeyOccurrence.secret
        • KeyOccurrence.context_before
        • KeyOccurrence.key_bytes
        • KeyOccurrence.context_after
        • KeyOccurrence.context_start_offset
        • KeyOccurrence.__init__()
      • DumpFile
        • DumpFile.path
        • DumpFile.timestamp
        • DumpFile.phase_prefix
        • DumpFile.phase_name
        • DumpFile.canonical_phase
        • DumpFile.kind
        • DumpFile.full_phase
        • DumpFile.canonical_or_raw
        • DumpFile.__init__()
      • RunDirectory
        • RunDirectory.path
        • RunDirectory.library
        • RunDirectory.protocol_version
        • RunDirectory.run_number
        • RunDirectory.dumps
        • RunDirectory.secrets
        • RunDirectory.secret_source
        • RunDirectory.phase_mappings
        • RunDirectory.meta
        • RunDirectory.tls_version
        • RunDirectory.get_dump_for_phase()
        • RunDirectory.available_phases()
        • RunDirectory.__init__()
      • ComparisonRegion
        • ComparisonRegion.secret_type
        • ComparisonRegion.key_length
        • ComparisonRegion.context_size
        • ComparisonRegion.run_data
        • ComparisonRegion.__init__()
        • ComparisonRegion.run_labels
        • ComparisonRegion.run_offsets
    • core.entropy
      • entropy_from_freq()
      • shannon_entropy()
      • compute_entropy_profile()
      • find_high_entropy_regions()
    • core.kdf
      • TLS12PRF
        • TLS12PRF.p_hash()
        • TLS12PRF.prf()
        • TLS12PRF.derive_master_secret()
        • TLS12PRF.derive_key_block()
      • TLS13HKDF
        • TLS13HKDF.hkdf_extract()
        • TLS13HKDF.hkdf_expand()
        • TLS13HKDF.hkdf_expand_label()
        • TLS13HKDF.derive_secret()
      • KDFParams
        • KDFParams.hash_algo
        • KDFParams.key_lengths
        • KDFParams.labels
        • KDFParams.context
        • KDFParams.extra
        • KDFParams.__init__()
      • BaseKDF
        • BaseKDF.name
        • BaseKDF.protocol
        • BaseKDF.versions
        • BaseKDF.derive()
        • BaseKDF.expand_traffic_secret()
        • BaseKDF.validate_pair()
        • BaseKDF.supported_secret_types()
      • KDFRegistry
        • KDFRegistry.__init__()
        • KDFRegistry.discover()
        • KDFRegistry.get()
        • KDFRegistry.get_for_protocol()
        • KDFRegistry.list_all()
      • get_kdf_registry()
    • core.variance
      • ByteClass
        • ByteClass.INVARIANT
        • ByteClass.STRUCTURAL
        • ByteClass.POINTER
        • ByteClass.KEY_CANDIDATE
        • ByteClass.__new__()
      • compute_variance()
      • WelfordVariance
        • WelfordVariance.__init__()
        • WelfordVariance.num_dumps
        • WelfordVariance.size
        • WelfordVariance.add_dump()
        • WelfordVariance.variance()
        • WelfordVariance.reset()
        • WelfordVariance.state_arrays()
        • WelfordVariance.from_state()
      • classify_variance()
      • find_contiguous_runs()
      • count_classifications()
      • PhaseMapping
        • PhaseMapping.raw_phase
        • PhaseMapping.canonical_phase
        • PhaseMapping.timestamp
        • PhaseMapping.dump_file
        • PhaseMapping.__init__()
      • PhaseNormalizer
        • PhaseNormalizer.KEY_UPDATE_NAMES
        • PhaseNormalizer.CLEANUP_NAMES
        • PhaseNormalizer.normalize_run()
        • PhaseNormalizer.available_canonical_phases()
        • PhaseNormalizer.get_canonical_display()
    • engine.pipeline
      • AnalysisPipeline
        • AnalysisPipeline.__init__()
        • AnalysisPipeline.analyze_library()
        • AnalysisPipeline.run()
    • engine.oracle
      • Oracle
        • Oracle.verify()
        • Oracle.__init__()
      • OracleLoadError
      • load_oracle_config()
      • load_oracle()
    • engine.consensus
      • ConsensusVector
        • ConsensusVector.__init__()
        • ConsensusVector.classifications
        • ConsensusVector.build()
        • ConsensusVector.build_from_sources()
        • ConsensusVector.build_incremental()
        • ConsensusVector.add_source()
        • ConsensusVector.get_live_variance()
        • ConsensusVector.welford_state()
        • ConsensusVector.finalize()
        • ConsensusVector.get_static_regions()
        • ConsensusVector.get_volatile_regions()
        • ConsensusVector.get_aligned_candidates()
        • ConsensusVector.classification_counts()
      • ConsensusMatrix
      • ByteClass
        • ByteClass.INVARIANT
        • ByteClass.STRUCTURAL
        • ByteClass.POINTER
        • ByteClass.KEY_CANDIDATE
        • ByteClass.__new__()
    • harvester
      • DumpIngestor
        • DumpIngestor.__init__()
        • DumpIngestor.scan()
        • DumpIngestor.dataset_info
        • DumpIngestor.load_library_runs()
        • DumpIngestor.load_dump_data()
        • DumpIngestor.get_dump_paths_for_phase()
        • DumpIngestor.list_libraries()
        • DumpIngestor.list_scenarios()
      • SidecarParser
        • SidecarParser.SIDECAR_EXTENSIONS
        • SidecarParser.find_sidecar()
        • SidecarParser.parse()
      • MetadataStore
        • MetadataStore.__init__()
        • MetadataStore.add_run()
        • MetadataStore.get_runs_for_library()
        • MetadataStore.summary()
        • MetadataStore.filter_by()
    • msl
      • MslReader
        • MslReader.__init__()
        • MslReader.open()
        • MslReader.close()
        • MslReader.file_header
        • MslReader.iter_blocks()
        • MslReader.read_bytes()
        • MslReader.read_block_payload()
        • MslReader.collect_regions()
        • MslReader.collect_key_hints()
        • MslReader.collect_modules()
        • MslReader.collect_process_identity()
        • MslReader.collect_vas_map()
        • MslReader.collect_related_dumps()
        • MslReader.collect_end_of_capture()
        • MslReader.collect_import_provenance()
        • MslReader.collect_module_list_index()
        • MslReader.collect_processes()
        • MslReader.collect_connections()
        • MslReader.collect_handles()
        • MslReader.collect_connectivity_tables()
        • MslReader.collect_thread_contexts()
        • MslReader.collect_file_descriptors()
        • MslReader.collect_network_connections()
        • MslReader.collect_environment_blocks()
        • MslReader.collect_security_tokens()
        • MslReader.collect_system_context()
      • MslWriter
        • MslWriter.__init__()
        • MslWriter.dump_uuid
        • MslWriter.add_memory_region()
        • MslWriter.add_key_hint()
        • MslWriter.add_import_provenance()
        • MslWriter.add_related_dump()
        • MslWriter.add_end_of_capture()
        • MslWriter.write()
      • ImportResult
        • ImportResult.source_path
        • ImportResult.output_path
        • ImportResult.regions_written
        • ImportResult.key_hints_written
        • ImportResult.total_bytes
        • ImportResult.__init__()
      • import_raw_dump()
      • import_run_directory()
      • Endianness
        • Endianness.LITTLE
        • Endianness.BIG
        • Endianness.__new__()
      • HeaderFlag
        • HeaderFlag.IMPORTED
        • HeaderFlag.INVESTIGATION
        • HeaderFlag.ENCRYPTED
        • HeaderFlag.__new__()
      • BlockType
        • BlockType.INVALID
        • BlockType.MEMORY_REGION
        • BlockType.MODULE_ENTRY
        • BlockType.MODULE_LIST_INDEX
        • BlockType.THREAD_CONTEXT
        • BlockType.FILE_DESCRIPTOR
        • BlockType.NETWORK_CONNECTION
        • BlockType.ENVIRONMENT_BLOCK
        • BlockType.SECURITY_TOKEN
        • BlockType.KEY_HINT
        • BlockType.IMPORT_PROVENANCE
        • BlockType.PROCESS_IDENTITY
        • BlockType.RELATED_DUMP
        • BlockType.SYSTEM_CONTEXT
        • BlockType.PROCESS_TABLE
        • BlockType.CONNECTION_TABLE
        • BlockType.HANDLE_TABLE
        • BlockType.CONNECTIVITY_TABLE
        • BlockType.END_OF_CAPTURE
        • BlockType.VAS_MAP
        • BlockType.POINTER_GRAPH
        • BlockType.__new__()
      • BlockFlag
        • BlockFlag.COMPRESSED
        • BlockFlag.COMP_ZSTD
        • BlockFlag.COMP_LZ4
        • BlockFlag.HAS_KEY_HINTS
        • BlockFlag.HAS_CHILDREN
        • BlockFlag.CONTINUATION
        • BlockFlag.__new__()
      • CompAlgo
        • CompAlgo.NONE
        • CompAlgo.ZSTD
        • CompAlgo.LZ4
        • CompAlgo.__new__()
      • PageState
        • PageState.CAPTURED
        • PageState.FAILED
        • PageState.UNMAPPED
        • PageState.RESERVED
        • PageState.__new__()
      • Protection
        • Protection.READ
        • Protection.WRITE
        • Protection.EXECUTE
        • Protection.GUARD
        • Protection.COW
        • Protection.__new__()
      • RegionType
        • RegionType.UNKNOWN
        • RegionType.HEAP
        • RegionType.STACK
        • RegionType.IMAGE
        • RegionType.MAPPED_FILE
        • RegionType.ANONYMOUS
        • RegionType.SHARED_MEM
        • RegionType.OTHER
        • RegionType.__new__()
      • OSType
        • OSType.WINDOWS
        • OSType.LINUX
        • OSType.MACOS
        • OSType.ANDROID
        • OSType.IOS
        • OSType.FREEBSD
        • OSType.UNKNOWN
        • OSType.__new__()
      • ArchType
        • ArchType.X86
        • ArchType.X86_64
        • ArchType.ARM64
        • ArchType.ARM32
        • ArchType.UNKNOWN
        • ArchType.__new__()
      • MslKeyType
        • MslKeyType.UNKNOWN
        • MslKeyType.PRE_MASTER_SECRET
        • MslKeyType.MASTER_SECRET
        • MslKeyType.SESSION_KEY
        • MslKeyType.HANDSHAKE_SECRET
        • MslKeyType.APP_TRAFFIC_SECRET
        • MslKeyType.RSA_PRIVATE_KEY
        • MslKeyType.ECDH_PRIVATE_KEY
        • MslKeyType.IKE_SA_KEY
        • MslKeyType.ESP_AH_KEY
        • MslKeyType.SSH_SESSION_KEY
        • MslKeyType.WIREGUARD_KEY
        • MslKeyType.ML_KEM_PRIVATE_KEY
        • MslKeyType.OTHER
        • MslKeyType.__new__()
      • MslProtocol
        • MslProtocol.UNKNOWN
        • MslProtocol.TLS_12
        • MslProtocol.TLS_13
        • MslProtocol.DTLS_12
        • MslProtocol.DTLS_13
        • MslProtocol.QUIC
        • MslProtocol.IKEV2_IPSEC
        • MslProtocol.SSH
        • MslProtocol.WIREGUARD
        • MslProtocol.PQ_TLS
        • MslProtocol.OTHER
        • MslProtocol.__new__()
      • Confidence
        • Confidence.SPECULATIVE
        • Confidence.HEURISTIC
        • Confidence.CONFIRMED
        • Confidence.__new__()
      • KeyState
        • KeyState.UNKNOWN
        • KeyState.ACTIVE
        • KeyState.EXPIRED
        • KeyState.__new__()
      • HandleType
        • HandleType.UNKNOWN
        • HandleType.FILE
        • HandleType.DIR
        • HandleType.SOCKET
        • HandleType.PIPE
        • HandleType.MUTEX
        • HandleType.TIMER
        • HandleType.OTHER
        • HandleType.__new__()
      • ConnRowType
        • ConnRowType.IPV4_ROUTE
        • ConnRowType.IPV6_ROUTE
        • ConnRowType.ARP_ENTRY
        • ConnRowType.PACKET_SOCKET
        • ConnRowType.IFACE_STATS
        • ConnRowType.SOCKET_FAMILY_AGG
        • ConnRowType.MIB_COUNTER
        • ConnRowType.__new__()
    • architect exporters
      • PatternGenerator
        • PatternGenerator.generate()
        • PatternGenerator.find_anchors()
        • PatternGenerator.infer_fields()
      • YaraExporter
        • YaraExporter.export()
      • JsonExporter
        • JsonExporter.export()
        • JsonExporter.save()
        • JsonExporter.to_string()
      • Volatility3Exporter
        • Volatility3Exporter.export()
        • Volatility3Exporter.save()
    • mcp_server.tools
      • scan_dataset()
      • list_phases()
      • list_protocols()
      • analyze_library()
      • import_raw_dump()

Project

  • Contributing
    • Code style
    • Test taxonomy
    • Docs build
      • Adding an algorithm
        • 1. Choose a mode
        • 2. Subclass BaseAlgorithm
        • 3. Surface in the UI
        • 4. Test
      • Adding a decryption oracle
  • Release notes
  • Changelog
    • [Unreleased]
      • Changed
      • Added
      • Deferred follow-ups
    • [0.5.1] — 2026-04-14
  • Languages
    • Contributing a translation
MemDiver
  • Search

© Copyright 2026, Anonymous.