Linux Forensics: Memory Capture and Analysis

In my previous posts I often covered many tools and techniques that allows memory acquisition from a Windows system. However, I written few articles about Linux memory acquisition and analysis, only one brief post regarding memory profiles generation on Linux, using LiME.

So, today I’d like to share with you this good video by 13Cubed, titled “Linux Memory Forensics – Memory Capture and Analysis“.

The tutorial explains how to use Microsoft’s AVML [2] to acquire memory, then refers to my article [3] about profile generation, finally it give an overview about analysis using Volatility:

Commands Used in This Episode

Download and run AVML to create memory capture:
sudo ./avml memory.dmp

Download Volatility:
git clone https://github.com/volatilityfoundation/volatility

Build custom Volatility profile based upon specific Linux kernel version in use:
cd ./volatility/tools/linux
sudo apt install dwarfdump
make
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]

Install custom Volatility profile:
mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux

Run Volatility, specifying custom profile, and point at the AVML memory capture:
./vol.py --info | more (verify profile is available)
./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]

Really useful!


References

  1. Linux Memory Forensics – Memory Capture and Analysis
  2. AVML (Acquire Volatile Memory for Linux) – A portable volatile memory acquisition tool for Linux.
  3. How to generate a Volatility profile for a Linux system

Related posts

  1. FAMA: Forensic Analysis For Mobile Apps
  2. Digital Forensic Basics: an analysis methodology flow chart
  3. How to extract sysdiagnose logs for forensic purposes on iOS
  4. Technology Roundup #16
  5. Backdoorplz, a privilege escalation tool for Windows