Difference between revisions of "Linux Memory Analysis"

From Forensics Wiki
Jump to: navigation, search
(added new tool (volatilitux), added link to SL data sheet, created new section for challenges and added sstic 2010, added links to Volatility threads dealing with Linux, organized tools by type)
 
(14 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
The output of a [[Tools:Memory_Imaging|memory acquisition tool]] is a memory image which contains the raw physical memory of a system.  A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.
 +
 
==Linux Memory Analysis Tools==
 
==Linux Memory Analysis Tools==
  
Research Projects:
+
Active Open Source Projects:
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Publication Date: 2006; Availability/License: not available)
+
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  See the [http://code.google.com/p/volatility/wiki/LinuxMemoryForensics LinuxMemoryForensics] page on the Volatility wiki.  (Availability/License: GNU GPL)
 +
* The [http://people.redhat.com/anderson/ Red Hat Crash Utility] is an extensible Linux kernel core dump analysis program.  Although designed as a debugging tool, it also has been utilized for memory forensics.  See, for example, the [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html 2008 DFRWS challenge write-up by AAron Walters].  (Availability/License: GNU GPL)
  
Open Source Projects:
+
Commercial Products:
* The [https://www.volatilesystems.com/default/volatility Volatility Framework] is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples.  Support for Linux is experimental (see Volatility mailing list threads referenced below).  (Availability/License: GNU GPL)
+
* [[Second Look]] provides memory acquisition and analysis tools for Linux incident response and enterprise security.  Its major differentiators versus Volatility are malware detection via integrity verification of the kernel and running processes, ease of use (automatic kernel version detection, a graphical user interface, etc.), and enterprise scalability (including live analysis of remote systems via a memory access agent).  (Availability/License: commercial)
 +
 
 +
Inactive Open Source and Research Projects:
 +
* The [http://4tphi.net/fatkit/ Forensic Analysis Toolkit (FATKit)] is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory.  (Publication Date: 2006; Availability/License: not available)
 
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
 
* [http://hysteria.sk/~niekt0/foriana/ Foriana] is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
+
* Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.
Commercial Products:
+
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35.  (Availability/License: commercial)
+
  
 
==Linux Memory Analysis Challenges==
 
==Linux Memory Analysis Challenges==
Line 17: Line 21:
 
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
 
* The [[Digital Forensic Research Workshop]] [http://dfrws.org/2008/challenge/index.shtml 2008 Forensics Challenge] focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
 
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
 
* [http://communaute.sstic.org/ChallengeSSTIC2010 Challenge SSTIC 2010] (French) dealt with analysis of physical memory from a mobile device running Android.
 +
* [http://www.honeynet.org/challenges/2011_7_compromised_server Challenge 7 of the Honeynet Project's Forensic Challenge 2011] included forensic analysis of a memory image from a potentially compromised Linux server.
 +
 +
==Linux Memory Images==
 +
 +
Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.
  
 
==Linux Memory Analysis Bibliography==
 
==Linux Memory Analysis Bibliography==
 +
* [http://forensic.seccure.net/pdf/mburdach_digital_forensics_of_physical_memory.pdf Digital Forensics of the Physical Memory] M. Burdach, March 2005.
 
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 +
* [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag], by AAron Walters on the Volatile Systems Blog.
 +
* [http://www.dfrws.org/2008/proceedings/p65-case.pdf FACE: Automated digital evidence discovery and correlation], Andrew Case, Andrew Cristina, Lodovico Marziale, Golden G. Richard, Vassil Roussev, DFRWS 2008
 
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
* [http://pikewerks.com/_datasheets/secondlook.pdf Second Look Datasheet]
+
* [http://www.dfrws.org/2010/proceedings/2010-305.pdf Treasure and tragedy in kmem_cache mining for live forensics investigation] by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010.  [http://www.dfrws.org/2010/proceedings/richard2.pdf (Presentation)]
 +
* [http://secondlookforensics.com/ Second Look Web Page]
 +
* [http://blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Case De-Anonymizing Live CDs through Physical Memory Analysis] ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf Whitepaper]) ([https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf Slides]) Andrew Case; Blackhat DC 2011.
 +
* [http://dfsforensics.blogspot.com/2011/03/bringing-linux-support-to-volatility.html Bringing Linux Support to Volatility], Andrew Case; Digital Forensics Solutions Blog, 2011.
 +
* [http://blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Case Workshop - Linux Memory Analysis with Volatility] ([http://www.digitalforensicssolutions.com/papers/blackhat-workshop-full-presentation.pdf Slides]) Andrew Case; Blackhat Vegas 2011.
  
 
Volatility Mailing List Threads on Support for Linux:
 
Volatility Mailing List Threads on Support for Linux:
 
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
 
* http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
 
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
 
* http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112
 +
 +
[[Category:Memory Analysis]]

Latest revision as of 14:42, 13 November 2013

The output of a memory acquisition tool is a memory image which contains the raw physical memory of a system. A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.

Contents

Linux Memory Analysis Tools

Active Open Source Projects:

Commercial Products:

  • Second Look provides memory acquisition and analysis tools for Linux incident response and enterprise security. Its major differentiators versus Volatility are malware detection via integrity verification of the kernel and running processes, ease of use (automatic kernel version detection, a graphical user interface, etc.), and enterprise scalability (including live analysis of remote systems via a memory access agent). (Availability/License: commercial)

Inactive Open Source and Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.

Linux Memory Analysis Challenges

Linux Memory Images

Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: