Linux Memory Forensics

Linux memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits

Detection of Malicious Activities:

Malware Analysis
Suspicious Processes
In-Memory Artifact
Network Activity
User Activities ...
Filesystem and File Activity

Frist lets to Creates a raw memory dump with dd

dd if=/dev/mem of=memory.dump bs=1M

or we can Captures live memory on Linux with LiME

insmod lime.ko "path=/path/to/dump format=lime"

IN this section , I am going to talk about Linux Memory Forensics with Volatility 3

Analyze the Memory Dump

python3 vol.py -f <memory_dump> <plugin_name> [options]

-f <memory_dump>: Path to the memory dump file.
<plugin_name>: Volatility 3 plugin to use.

System Information

Kernel and OS details:

python3 vol.py -f memory.dump linux.banner

List running processes:

python3 vol.py -f memory.dump linux.pslist

Find hidden processes:

python3 vol.py -f memory.dump linux.pstree

Kernel Debug Symbols:

python3 vol.py -f memory.dump linux.info

Process Analysis

Detailed process memory maps:

python3 vol.py -f memory.dump linux.proc_maps

Processes with arguments:

python3 vol.py -f memory.dump linux.psaux

Zombie or orphaned processes:

python3 vol.py -f memory.dump linux.pslist --zombies

Threads information:

python3 vol.py -f memory.dump linux.threads

Network Activity

Detects manipulation of afinfo network structures

python3 vol.py -f memory.dump linux.check_afinfo

ARP Table Analysis:

python3 vol.py -f memory.dump linux.arp

Inspect routing table:

python3 vol.py -f memory.dump linux.route_cache

Network device configurations:

python3 vol.py -f memory.dump linux.ifconfig

Active network connections:

python3 vol.py -f memory.dump linux.netstat

Open sockets:

python3 vol.py -f memory.dump linux.sockets

Filesystem and File Activity

Find deleted files:

python3 vol.py -f memory.dump linux.deleted_files

Analyze file descriptors:

python3 vol.py -f memory.dump linux.fds

Open files by processes:

python3 vol.py -f memory.dump linux.lsof

Check mounts:

python3 vol.py -f memory.dump linux.mount

Kernel Modules and Symbols

Inspect loaded kernel symbols:

python3 vol.py -f memory.dump linux.kallsyms

Inspect kernel memory mappings:

python3 vol.py -f memory.dump linux.kernel_modules

List kernel modules:

python3 vol.py -f memory.dump linux.lsmod

Check suspicious modules:

python3 vol.py -f memory.dump linux.check_afinfo

Memory Artifacts

Search memory for specific strings:

python3 vol.py -f memory.dump strings --string "keyword"

Dump memory regions:

python3 vol.py -f memory.dump linux.dump_map

Identify malicious ELF binaries in memory:

python3 vol.py -f memory.dump linux.elfs

python3 vol.py -f memory-avml.lime linux.elfs.Elfs --pid <>

Heap allocations by process:

python3 vol.py -f memory.dump linux.heap

Malware and Suspicious Indicators

Analyzes TTY (teletypewriter) devices for anomalies - Often used to detect keylogging or backdoor

python3 vol.py -f memory.dump linux.tty_check

Identifies potential credential theft activities by examining process credentials:

python3 vol.py -f memory.dump linux.check_creds

Search memory for suspicious syscalls:

python3 vol.py -f memory.dump linux.syscalls

Identify malicious kernel timers:

python3 vol.py -f memory.dump linux.check_timers

Malicious process detection (based on YARA):

python3 vol.py -f memory.dump linux.yarascan --yara-rules <rules_file>

Check shared libraries:

python3 vol.py -f memory.dump linux.proc_maps

Detect backdoor shell bindings:

python3 vol.py -f memory.dump linux.backdoor

extract command history from active shell processes :

python3 vol.py -f memory-avml.lime linux.bash.Bash --pid <>

User Information

Check logged-in users:

python3 vol.py -f memory.dump linux.who

List user credentials:

python3 vol.py -f memory.dump linux.hashdump

Dump SSH keys from memory:

python3 vol.py -f memory.dump linux.ssh_keys

Inspect environment variables for processes:

python3 vol.py -f memory.dump linux.envvars

Dump Suspicious Processes

Dump a specific process by PID:

python3 vol.py -f memory.dump linux.dump_map --pid <>

Memory Strings Analysis

Search for encoded/hidden data:

strings memory.dump | grep -i "keyword"

Search for patterns with regular expressions:

python3 vol.py -f memory.dump linux.regex_search --pattern "<regex_pattern>"

NextLinux Forensics Logs

Last updated 5 months ago

Linux Memory Forensics

Linux memory forensics plays a vital role in incident response and digital forensics. Here are the primary purposes and benefits

Detection of Malicious Activities:

Malware Analysis
Suspicious Processes
In-Memory Artifact
Network Activity
User Activities ...
Filesystem and File Activity

Frist lets to Creates a raw memory dump with dd

dd if=/dev/mem of=memory.dump bs=1M

or we can Captures live memory on Linux with LiME

insmod lime.ko "path=/path/to/dump format=lime"

IN this section , I am going to talk about Linux Memory Forensics with Volatility 3

Analyze the Memory Dump

python3 vol.py -f <memory_dump> <plugin_name> [options]

-f <memory_dump>: Path to the memory dump file.
<plugin_name>: Volatility 3 plugin to use.

System Information

Kernel and OS details:

python3 vol.py -f memory.dump linux.banner

List running processes:

python3 vol.py -f memory.dump linux.pslist

Find hidden processes:

python3 vol.py -f memory.dump linux.pstree

Kernel Debug Symbols:

python3 vol.py -f memory.dump linux.info

Process Analysis

Detailed process memory maps:

python3 vol.py -f memory.dump linux.proc_maps

Processes with arguments:

python3 vol.py -f memory.dump linux.psaux

Zombie or orphaned processes:

python3 vol.py -f memory.dump linux.pslist --zombies

Threads information:

python3 vol.py -f memory.dump linux.threads

Network Activity

Detects manipulation of afinfo network structures

python3 vol.py -f memory.dump linux.check_afinfo

ARP Table Analysis:

python3 vol.py -f memory.dump linux.arp

Inspect routing table:

python3 vol.py -f memory.dump linux.route_cache

Network device configurations:

python3 vol.py -f memory.dump linux.ifconfig

Active network connections:

python3 vol.py -f memory.dump linux.netstat

Open sockets:

python3 vol.py -f memory.dump linux.sockets

Filesystem and File Activity

Find deleted files:

python3 vol.py -f memory.dump linux.deleted_files

Analyze file descriptors:

python3 vol.py -f memory.dump linux.fds

Open files by processes:

python3 vol.py -f memory.dump linux.lsof

Check mounts:

python3 vol.py -f memory.dump linux.mount

Kernel Modules and Symbols

Inspect loaded kernel symbols:

python3 vol.py -f memory.dump linux.kallsyms

Inspect kernel memory mappings:

python3 vol.py -f memory.dump linux.kernel_modules

List kernel modules:

python3 vol.py -f memory.dump linux.lsmod

Check suspicious modules:

python3 vol.py -f memory.dump linux.check_afinfo

Memory Artifacts

Search memory for specific strings:

python3 vol.py -f memory.dump strings --string "keyword"

Dump memory regions:

python3 vol.py -f memory.dump linux.dump_map

Identify malicious ELF binaries in memory:

python3 vol.py -f memory.dump linux.elfs

python3 vol.py -f memory-avml.lime linux.elfs.Elfs --pid <>

Heap allocations by process:

python3 vol.py -f memory.dump linux.heap

Malware and Suspicious Indicators

Analyzes TTY (teletypewriter) devices for anomalies - Often used to detect keylogging or backdoor

python3 vol.py -f memory.dump linux.tty_check

Identifies potential credential theft activities by examining process credentials:

python3 vol.py -f memory.dump linux.check_creds

Search memory for suspicious syscalls:

python3 vol.py -f memory.dump linux.syscalls

Identify malicious kernel timers:

python3 vol.py -f memory.dump linux.check_timers

Malicious process detection (based on YARA):

python3 vol.py -f memory.dump linux.yarascan --yara-rules <rules_file>

Check shared libraries:

python3 vol.py -f memory.dump linux.proc_maps

Detect backdoor shell bindings:

python3 vol.py -f memory.dump linux.backdoor

extract command history from active shell processes :

python3 vol.py -f memory-avml.lime linux.bash.Bash --pid <>

User Information

Check logged-in users:

python3 vol.py -f memory.dump linux.who

List user credentials:

python3 vol.py -f memory.dump linux.hashdump

Dump SSH keys from memory:

python3 vol.py -f memory.dump linux.ssh_keys

Inspect environment variables for processes:

python3 vol.py -f memory.dump linux.envvars

Dump Suspicious Processes

Dump a specific process by PID:

python3 vol.py -f memory.dump linux.dump_map --pid <>

Memory Strings Analysis

Search for encoded/hidden data:

strings memory.dump | grep -i "keyword"

Search for patterns with regular expressions:

python3 vol.py -f memory.dump linux.regex_search --pattern "<regex_pattern>"

NextLinux Forensics Logs

Last updated 5 months ago