|
|
| Line 1: |
Line 1: |
| − | ==Linux Memory Analysis Tools==
| + | CarvFs is a modular [[Fuse]] based user space file system on top op [[LibCarvPath]]. |
| | + | CarvFS makes CarvPath style annotations as used by LibCarvPath available as files. |
| | + | Using CarvFs makes it possible to process carved entities as files without the need for copy-out. |
| | | | |
| − | Research Projects:
| + | CarvFs is modular with respect to access to image files. |
| − | * The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
| + | The CarvFs distribution comes with a default module for access to (split) raw files. |
| | | | |
| − | Open Source Projects:
| + | A separate [[LibEwf]] module is available for access to ewf images. |
| − | * The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental, but available from Subversion in the [http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flinux-support linux-support branch]. (Availability/License: GNU GPL)
| + | |
| − | * [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
| + | |
| − | * [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
| + | |
| − | * [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
| + | |
| − | * The [http://people.redhat.com/anderson/ Red Hat Crash Utility] is an extensible Linux kernel core dump analysis program. Although designed as a debugging tool, it also has been utilized for memory forensics. See, for example, the [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html 2008 DFRWS challenge write-up by AAron Walters]. (Availability/License: GNU GPL)
| + | |
| | | | |
| − | Commercial Products:
| + | [https://sourceforge.net/apps/mediawiki/carvpath/index.php?title=Main_Page CarvPath wiki] |
| − | * [[Second Look: Linux Memory Forensics]] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of May 2011, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.38. (Availability/License: commercial)
| + | |
| − | | + | |
| − | ==Linux Memory Analysis Challenges==
| + | |
| − | | + | |
| − | * The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
| + | |
| − | * [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
| + | |
| − | | + | |
| − | ==Linux Memory Analysis Bibliography==
| + | |
| − | * [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
| + | |
| − | * [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
| + | |
| − | * [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag], by AAron Walters on the Volatile Systems Blog.
| + | |
| − | * [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
| + | |
| − | * [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
| + | |
| − | * [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010. [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
| + | |
| − | * [http://www.pikewerks.com/sl/ Second Look Web Page], [http://www.pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
| + | |
| − | * [http://blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Case De-Anonymizing Live CDs through Physical Memory Analysis] ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf Whitepaper]) ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf Slides]) Andrew Case; Blackhat USA 2010.
| + | |
| − | * [http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html Bringing Linux Support to Volatility], Andrew Case; Digital Forensics Solutions Blog, 2011.
| + | |
| − | | + | |
| − | Volatility Mailing List Threads on Support for Linux:
| + | |
| − | * http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
| + | |
| − | * http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
| + | |
CarvFs is modular with respect to access to image files.
The CarvFs distribution comes with a default module for access to (split) raw files.
