Linux Forensics: Memory Capture and Analysis

In my previous posts I often covered many tools and techniques that allows memory acquisition from a Windows system. However, I written few articles about Linux memory acquisition and analysis, only one brief post regarding memory profiles generation on Linux, using LiME.

So, today I’d like to share with you this good video by 13Cubed, titled “Linux Memory Forensics – Memory Capture and Analysis“.

The tutorial explains how to use Microsoft’s AVML [2] to acquire memory, then refers to my article [3] about profile generation, finally it give an overview about analysis using Volatility:

Commands Used in This Episode

Download and run AVML to create memory capture:
sudo ./avml memory.dmp

Download Volatility:
git clone

Build custom Volatility profile based upon specific Linux kernel version in use:
cd ./volatility/tools/linux
sudo apt install dwarfdump
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/[KERNEL VERSION]

Install custom Volatility profile:
mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux

Run Volatility, specifying custom profile, and point at the AVML memory capture:
./ --info | more (verify profile is available)
./ -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]

Really useful!


  1. Linux Memory Forensics – Memory Capture and Analysis
  2. AVML (Acquire Volatile Memory for Linux) – A portable volatile memory acquisition tool for Linux.
  3. How to generate a Volatility profile for a Linux system

Related posts

  1. How to sort and organize files recovered by PhotoRec
  2. Didier Stevens: finding Metasploit & Cobalt Strike URLs
  3. Some useful tips about /dev/tcp
  4. How to perform a digital forensic analysis using only free tools
  5. Windows registry Transaction Logs in forensic analysis