Difference between revisions of "Linux Memory Analysis"

From ForensicsWiki
Jump to: navigation, search
(Linux Memory Analysis Bibliography)
Line 9: Line 9:
 
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/draugr/ Draugr] is a Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 
* [http://code.google.com/p/volatilitux/ Volatilitux] is another Linux memory forensics tool written in Python.  (Availability/License: GNU GPL)
 +
* The [http://people.redhat.com/anderson/ Red Hat Crash Utility] is an extensible Linux kernel core dump analysis program.  Although designed as a debugging tool, it also has been utilized for memory forensics.  See, for example, the [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html 2008 DFRWS challenge write-up by AAron Walters].  (Availability/License: GNU GPL)
  
 
Commercial Products:
 
Commercial Products:
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35.  (Availability/License: commercial)
+
* [http://pikewerks.com/sl/ Second Look] from [http://www.pikewerks.com Pikewerks Corporation] can analyze live memory or stored snapshots (physical memory images).  It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system.  It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views.  An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels.  As of May 2011, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.38.  (Availability/License: commercial)
  
 
==Linux Memory Analysis Challenges==
 
==Linux Memory Analysis Challenges==
Line 21: Line 22:
 
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 
* [http://www.usenix.org/events/usenix05/tech/freenix/full_papers/movall/movall.pdf Linux Physical Memory Analysis], Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
 
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 
* [http://cisr.nps.edu/downloads/theses/06thesis_urrea.pdf An Analysis Of Linux RAM Forensics], J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
 +
* [http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-major.html Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag], by AAron Walters on the Volatile Systems Blog.
 
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 
* [http://esiea-recherche.eu/~desnos/papers/slidesdraugr.pdf Linux Live Memory Forensics], a presentation by Desnos Anthony describing the implementation of draugr, 2009.
 
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.
 
* [http://is.cuni.cz/studium/dipl_st/index.php?doo=detail&did=48540 Forensic RAM Dump Image Analyzer] by Ivor Kollar, describing the implementation of foriana, 2009.

Revision as of 14:34, 13 May 2011

Linux Memory Analysis Tools

Research Projects:

  • The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)

Open Source Projects:

  • The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental, but available from Subversion in the linux-support branch. (Availability/License: GNU GPL)
  • Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
  • Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
  • The Red Hat Crash Utility is an extensible Linux kernel core dump analysis program. Although designed as a debugging tool, it also has been utilized for memory forensics. See, for example, the 2008 DFRWS challenge write-up by AAron Walters. (Availability/License: GNU GPL)

Commercial Products:

  • Second Look from Pikewerks Corporation can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of May 2011, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.38. (Availability/License: commercial)

Linux Memory Analysis Challenges

Linux Memory Analysis Bibliography

Volatility Mailing List Threads on Support for Linux: