Linux Memory Analysis

Linux Memory Analysis Tools

Research Projects:

• The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)

Open Source Projects:

• The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. Support for Linux is experimental, but available from Subversion in the linux-support branch. (Availability/License: GNU GPL)
• Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
• Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
• Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)

Commercial Products:

• Second Look from Pikewerks Corporation can analyze live memory or stored snapshots (physical memory images). It can be used to detect rootkits and other kernel-hooking malware, as well as obtain forensic information about the state of the system. It has command-line and GUI interfaces, and reverse engineering capabilities including built-in disassembly and hexadecimal data views. An online reference kernel repository provides baselines for verification of thousands of distribution stock kernels. As of November 2010, it supports x86 and x86_64 targets running kernels 2.6.8 to 2.6.35. (Availability/License: commercial)

Linux Memory Analysis Challenges

• The Digital Forensic Research Workshop 2008 Forensics Challenge focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
• Challenge SSTIC 2010 (French) dealt with analysis of physical memory from a mobile device running Android.

Linux Memory Analysis Bibliography

• Linux Physical Memory Analysis, Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
• An Analysis Of Linux RAM Forensics, J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
• Linux Live Memory Forensics, a presentation by Desnos Anthony describing the implementation of draugr, 2009.
• Forensic RAM Dump Image Analyzer by Ivor Kollar, describing the implementation of foriana, 2009.
• Treasure and tragedy in kmem_cache mining for live forensics investigation by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010. (Presentation)
• Second Look Datasheet

Volatility Mailing List Threads on Support for Linux:

• http://lists.volatilesystems.com/pipermail/vol-users/2010-January/thread.html#143
• http://lists.volatilesystems.com/pipermail/vol-dev/2010-September/thread.html#112