In my previous posts I often covered many tools and techniques that allows memory acquisition from a Windows system. However, I written few articles about Linux memory acquisition and analysis, only one brief post regarding memory profiles generation on Linux, using LiME.



So, today I'd like to share with you this good video by 13Cubed, titled "Linux Memory Forensics - Memory Capture and Analysis".

https://www.youtube.com/watch?v=6Frec5cGzOg

The tutorial explains how to use Microsoft's AVML [2] to acquire memory, then refers to my article [3] about profile generation, finally it give an overview about analysis using Volatility:

Commands Used in This Episode

Download and run AVML to create memory capture:
sudo ./avml memory.dmp

Download Volatility:
git clone https://github.com/volatilityfoundation/volatility

Build custom Volatility profile based upon specific Linux kernel version in use:
cd ./volatility/tools/linux
sudo apt install dwarfdump
make
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]

Install custom Volatility profile:
mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux

Run Volatility, specifying custom profile, and point at the AVML memory capture:
./vol.py --info | more (verify profile is available)
./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]

Really useful!

References

  1. Linux Memory Forensics - Memory Capture and Analysis
  2. AVML (Acquire Volatile Memory for Linux) - A portable volatile memory acquisition tool for Linux.
  3. How to generate a Volatility profile for a Linux system