Difference between revisions of "Linux Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
m (https link uses bad cert, http works fine)
(added new tool (volatilitux), added link to SL data sheet, created new section for challenges and added sstic 2010, added links to Volatility threads dealing with Linux, organized tools by type)
Line 1: Line 1:
The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
 
 
 
==Linux Memory Analysis Tools==
 
==Linux Memory Analysis Tools==
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Availability/License: research project, not available)
+
 
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
+
Research Projects:
 +
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Publication Date: 2006; Availability/License: not available)
 +
 
 +
Open Source Projects:
 +
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental (see Volatility mailing list threads referenced below).  (Availability/License: GNU GPL)
 
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
 
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] - This product can perform analysis of live local and remote memory sources, as well as stored snapshots of memory (physical memory images or hibernate images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, reverse engineering capabilities (including built-in disassembly and hexadecimal data views), and the capability of modifying target memory.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  (Availability/License: commercial)
+
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. (Availability/License: GNU GPL)
+
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 +
 
 +
Commercial Products:
 +
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35.  (Availability/License: commercial)
 +
 
 +
==Linux Memory Analysis Challenges==
 +
 
 +
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
 +
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
  
 
==Linux Memory Analysis Bibliography==
 
==Linux Memory Analysis Bibliography==
Line 13: Line 23:
 
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 +
* [http://pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
 +
 +
Volatility Mailing List Threads on Support for Linux:
 +
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
 +
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112

Revision as of 09:35, 13 December 2010

Linux Memory Analysis Tools

Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)

Open Source Projects:

  • The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental (see Volatility mailing list threads referenced below). (Availability/License: GNU GPL)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)

Commercial Products:

  • Second Look from Pikewerks Corporation can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35. (Availability/License: commercial)

Linux Memory Analysis Challenges

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: