In my previous posts I often covered many tools and techniques that allows memory acquisition from a Windows system. However, I written few articles about Linux memory acquisition and analysis, only one brief post regarding memory profiles generation on Linux, using LiME.

So, today I’d like to share with you this good video by 13Cubed, titled “Linux Memory Forensics - Memory Capture and Analysis”.

The tutorial explains how to use Microsoft’s AVML to acquire memory, then refers to my article about profile generation, finally it give an overview about analysis using Volatility:

Download and run AVML to create memory capture

wget https://github.com/microsoft/avml/releases/download/v0.11.0/avml
sudo ./avml memory.dmp

Build custom Volatility profile based upon specific Linux kernel version in use

git clone https://github.com/volatilityfoundation/volatility
cd ./volatility/tools/linux
sudo apt install dwarfdump
make
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]

Memory dump usage

Install custom Volatility profile:

mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux

Run Volatility, specifying custom profile, and point at the AVML memory capture:

./vol.py --info | more (verify profile is available)
./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]