Linux Memory Analysis

From ForensicsWiki
Revision as of 19:25, 7 December 2009 by Niekt0 (Talk | contribs)

Jump to: navigation, search

The Digital Forensic Research Workshop 2008 Forensics Challenge focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.

Linux Memory Analysis Tools

  • Second Look from Pikewerks Corporation - This tool can perform analysis of live local and remote memory sources, as well as stored snapshots of memory (physical memory images or hibernate images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has reverse engineering capabilities, including built-in disassembly and hexadecimal data views, and the capability of modifying target memory.
  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.
  • The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
  • foriana is tool for extraction of some information (process list, modules list, ..) from RAM image. Using logical realtions between OS structures, this detection works on multiple operating systems. Under GNU GPL.

Linux Memory Analysis Bibliography