Linux Memory Forensics – Memory Capture and Analysis
You’re likely familiar with many tools that allow us to capture memory from a Windows system, and you may have watched other episodes in which we used Volatility to analyze those captures. But, have you ever wondered how to capture and analyze memory on a Linux system? Well, wait no longer, because that’s exactly what we’ll cover in this episode!
*** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. ***
📖 Chapters
00:00 – Intro
02:57 – Microsoft AVML
05:14 – Volatility Configuration
09:15 – Volatility Analysis
11:52 – Recap
🛠Resources
Microsoft AVML:
https://github.com/microsoft/avml
How to Generate a Volatility Profile for a Linux System:
https://www.andreafortuna.org/2019/08/22/how-to-generate-a-volatility-profile-for-a-linux-system/
🖥 Commands Used in This Episode
Download and run AVML to create memory capture:
sudo ./avml memory.dmp
Download Volatility:
git clone https://github.com/volatilityfoundation/volatility.git
Build custom Volatility profile based upon specific Linux kernel version in use:
cd ./volatility/tools/linux
sudo apt install dwarfdump
make
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]
Install custom Volatility profile:
mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux
Run Volatility, specifying custom profile, and point at the AVML memory capture:
./vol.py –info | more (verify profile is available)
./vol.py -f /path/to/memory.dmp –profile=[NEW PROFILE NAME] [PLUGIN]
#Forensics #DigitalForensics #DFIR #ComputerForensics #LinuxForensics #MemoryForensics
Views : 23401
linux