Linux Forensics: Memory Capture and Analysis
In my previous posts I often covered many tools and techniques that allows memory acquisition from a Windows system. However, I written few articles about Linux memory acquisition and analysis, only one brief post regarding memory profiles generation on Linux, using LiME.
So, today I'd like to share with you this good video by 13Cubed, titled "Linux Memory Forensics - Memory Capture and Analysis".
The tutorial explains how to use Microsoft's AVML [2] to acquire memory, then refers to my article [3] about profile generation, finally it give an overview about analysis using Volatility:
Commands Used in This Episode Download and run AVML to create memory capture: sudo ./avml memory.dmp Download Volatility: git clone https://github.com/volatilityfoundation/volatility Build custom Volatility profile based upon specific Linux kernel version in use: cd ./volatility/tools/linux sudo apt install dwarfdump make cd ../../ uname -a (show current kernel version) sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION] Install custom Volatility profile: mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux Run Volatility, specifying custom profile, and point at the AVML memory capture: ./vol.py --info | more (verify profile is available) ./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]
Really useful!