# Linux Memory Forensics Detection of Malicious Activities: * Malware Analysis * Suspicious Processes * In-Memory Artifact * Network Activity * User Activities ... * Filesystem and File Activity Frist lets to Creates a raw memory dump with dd ``` dd if=/dev/mem of=memory.dump bs=1M ``` or we can Captures live memory on Linux with `LiME` ``` insmod lime.ko "path=/path/to/dump format=lime" ``` IN this section , I am going to talk about Linux Memory Forensics with Volatility 3 Analyze the Memory Dump `python3 vol.py -f [options]` * `-f `: Path to the memory dump file. * ``: Volatility 3 plugin to use. ### System Information * Kernel and OS details: `python3 vol.py -f memory.dump linux.banner` * List running processes: `python3 vol.py -f memory.dump linux.pslist` * Find hidden processes: `python3 vol.py -f memory.dump linux.pstree` * Kernel Debug Symbols: `python3 vol.py -f memory.dump linux.info` ### Process Analysis * Detailed process memory maps: `python3 vol.py -f memory.dump linux.proc_maps` * Processes with arguments: `python3 vol.py -f memory.dump linux.psaux` * Zombie or orphaned processes: `python3 vol.py -f memory.dump linux.pslist --zombies` * Threads information: `python3 vol.py -f memory.dump linux.threads` ### Network Activity * Detects manipulation of `afinfo` network structures `python3 vol.py -f memory.dump linux.check_afinfo` * ARP Table Analysis: `python3 vol.py -f memory.dump linux.arp` * Inspect routing table: `python3 vol.py -f memory.dump linux.route_cache` * Network device configurations: `python3 vol.py -f memory.dump linux.ifconfig` * Active network connections: `python3 vol.py -f memory.dump linux.netstat` * Open sockets: `python3 vol.py -f memory.dump linux.sockets` ### Filesystem and File Activity * Find deleted files: `python3 vol.py -f memory.dump linux.deleted_files` * **Analyze file descriptors:** `python3 vol.py -f memory.dump linux.fds` * Open files by processes: `python3 vol.py -f memory.dump linux.lsof` * Check mounts: `python3 vol.py -f memory.dump linux.mount` ### Kernel Modules and Symbols * Inspect loaded kernel symbols: `python3 vol.py -f memory.dump linux.kallsyms` * Inspect kernel memory mappings: `python3 vol.py -f memory.dump linux.kernel_modules` * List kernel modules: `python3 vol.py -f memory.dump linux.lsmod` * Check suspicious modules: `python3 vol.py -f memory.dump linux.check_afinfo` ### Memory Artifacts * Search memory for specific strings: `python3 vol.py -f memory.dump strings --string "keyword"` * Dump memory regions: `python3 vol.py -f memory.dump linux.dump_map` * Identify malicious ELF binaries in memory: `python3 vol.py -f memory.dump linux.elfs` `python3 vol.py -f memory-avml.lime linux.elfs.Elfs --pid <>` * Heap allocations by process: `python3 vol.py -f memory.dump linux.heap` ### Malware and Suspicious Indicators * Analyzes TTY (teletypewriter) devices for anomalies - Often used to detect keylogging or backdoor `python3 vol.py -f memory.dump linux.tty_check` * Identifies potential credential theft activities by examining process credentials: `python3 vol.py -f memory.dump linux.check_creds` * Search memory for suspicious syscalls: `python3 vol.py -f memory.dump linux.syscalls` * Identify malicious kernel timers: `python3 vol.py -f memory.dump linux.check_timers` * Malicious process detection (based on YARA): `python3 vol.py -f memory.dump linux.yarascan --yara-rules ` * Check shared libraries: `python3 vol.py -f memory.dump linux.proc_maps` * Detect backdoor shell bindings: `python3 vol.py -f memory.dump linux.backdoor` * extract command history from active shell processes : `python3 vol.py -f memory-avml.lime linux.bash.Bash --pid <>` ### User Information * Check logged-in users: `python3 vol.py -f memory.dump linux.who` * List user credentials: `python3 vol.py -f memory.dump linux.hashdump` * Dump SSH keys from memory: `python3 vol.py -f memory.dump linux.ssh_keys` * Inspect environment variables for processes: `python3 vol.py -f memory.dump linux.envvars` ### Dump Suspicious Processes * Dump a specific process by PID: `python3 vol.py -f memory.dump linux.dump_map --pid <>` ### Memory Strings Analysis * **Search for encoded/hidden data:** `strings memory.dump | grep -i "keyword"` * Search for patterns with regular expressions: `python3 vol.py -f memory.dump linux.regex_search --pattern ""` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mahmoud-shaker.gitbook.io/dfir-notes/linux-forensics/linux-memory-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.