Michael Ligh is a reverse engineer and memory forensics expert with 14 years of experience focused on vulnerability research, malware cryptography, and large-scale forensic investigations. As a core developer and longtime contributor to the Volatility Framework (including Volatility 3), he has built and refactored critical Windows memory analysis plugins used widely in incident response and research. He has held senior roles in industry—Director of Malware Research, Senior Security Intelligence Engineer, and Chief of Special Projects—where he developed password recovery and decryption utilities and led complex global investigations. Co-author of Malware Analyst's Cookbook and The Art of Memory Forensics, he combines practical tool-building with deep technical writing and training, and serves as Secretary/Treasurer of The Volatility Foundation. Notably, his published work includes the original Zeus analysis and the first public DGA predictor for Conficker, reflecting a track record of turning cutting-edge research into usable defensive capabilities. Based in New York, he blends hands-on engineering, open-source stewardship, and instructor-level mentorship in malware and memory forensics.
Contributions:904 commits, 25 PRs, 187 pushes in 9 years 5 months
Contributions summary:Michael's contributions centered on enhancing the Volatility framework's memory forensics capabilities by modifying the Windows and Linux plugins, adding new plugins for improved data extraction. Their work involved fixing bugs in existing plugins and implementing support for new features. The user's focus appears to be on improving the framework's ability to analyze and extract relevant data from memory samples.
Contributions:21 reviews, 12 commits, 22 PRs in 2 years 11 months
Contributions summary:Michael contributed significantly to the Volatility 3 framework by implementing and enhancing various plugins for memory analysis. Their work included creating the windows dlllist, hivelist, modules, and handles plugins, allowing for the extraction of critical information from memory dumps. Further enhancements included refactoring the code to use modules rather than classes, and updating the code with windows extensions. The user also added a windows callbacks plugin and improved existing plugins.
memoryrampythonincident-responseforensics
Find and Hire Top DevelopersWe’ve analyzed the programming source code of over 60 million software developers on GitHub and scored them by 50,000 skills. Sign-up on Prog,AI to search for software developers.