Difference between revisions of "Linux Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
(Linux Memory Analysis Tools)
(alphabetize list, add draugr + draugr presentation)
Line 2: Line 2:
  
 
==Linux Memory Analysis Tools==
 
==Linux Memory Analysis Tools==
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] - This tool can perform analysis of live local and remote memory sources, as well as stored snapshots of memory (physical memory images or hibernate images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has reverse engineering capabilities, including built-in disassembly and hexadecimal data views, and the capability of modifying target memory.
+
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Availability/License: research project, not available)
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.
+
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
+
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
* [http://hysteria.sk/~niekt0/foriana/ foriana] is tool for extraction of some information (process list, modules list, ..) from RAM image. Using logical realtions between OS structures, this detection works on multiple operating systems. Under GNU GPL.
+
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] - This product can perform analysis of live local and remote memory sources, as well as stored snapshots of memory (physical memory images or hibernate images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, reverse engineering capabilities (including built-in disassembly and hexadecimal data views), and the capability of modifying target memory. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. (Availability/License: commercial)
 +
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. (Availability/License: GNU GPL)
  
 
==Linux Memory Analysis Bibliography==
 
==Linux Memory Analysis Bibliography==
* [https://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein, Usenix 2005
+
* [https://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, March 2006
+
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 +
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.

Revision as of 15:45, 1 April 2010

The Digital Forensic Research Workshop 2008 Forensics Challenge focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.

Linux Memory Analysis Tools

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Availability/License: research project, not available)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Second Look from Pikewerks Corporation - This product can perform analysis of live local and remote memory sources, as well as stored snapshots of memory (physical memory images or hibernate images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, reverse engineering capabilities (including built-in disassembly and hexadecimal data views), and the capability of modifying target memory. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. (Availability/License: commercial)
  • The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. (Availability/License: GNU GPL)

Linux Memory Analysis Bibliography