Difference between revisions of "Linux Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
(Linux Memory Analysis Tools: update volatility linux support link)
Line 44: Line 44:
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
[[Category:Memory Analysis]]

Revision as of 09:29, 27 July 2012

The output of a memory acquisition tool is a memory image which contains the raw physical memory of a system. A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.

Linux Memory Analysis Tools

Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)

Open Source Projects:

  • The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental--see the LinuxMemoryForensics page on the Volatility wiki. (Availability/License: GNU GPL)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • The Red Hat Crash Utility is an extensible Linux kernel core dump analysis program. Although designed as a debugging tool, it also has been utilized for memory forensics. See, for example, the 2008 DFRWS challenge write-up by AAron Walters. (Availability/License: GNU GPL)
  • Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.

Commercial Products:

  • Second Look: Linux Memory Forensics from Raytheon Pikewerks Corporation can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, unauthorized applications and services, and stealthy user-level malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels, while an online pagehash database provides the baselines for verification of hundreds of thousands of Linux software packages. As of April 2012, it supports x86 and x86_64 targets running any 2.6-series kernel and 3-series kernels up to 3.2. (Availability/License: commercial)

Linux Memory Analysis Challenges

Linux Memory Images

Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: