Linux Memory Forensics - Memory Capture and Analysis

You're likely familiar with many tools that allow us to capture memory from a Windows system, and you may have watched other episodes in which we used Volatility to analyze those captures. But, have you ever wondered how to capture and analyze memory on a Linux system? Well, wait no longer, because that's exactly what we'll cover in this episode!

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

📖 Chapters

00:00 - Intro
02:57 - Microsoft AVML
05:14 - Volatility Configuration
09:15 - Volatility Analysis
11:52 - Recap

🛠 Resources

Microsoft AVML:
https://github.com/microsoft/avml

How to Generate a Volatility Profile for a Linux System:
https://www.andreafortuna.org/2019/08...

🖥 Commands Used in This Episode

Download and run AVML to create memory capture:
sudo ./avml memory.dmp

Download Volatility:
git clone https://github.com/volatilityfoundati...

Build custom Volatility profile based upon specific Linux kernel version in use:
cd ./volatility/tools/linux
sudo apt install dwarfdump
make
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]

Install custom Volatility profile:
mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux

Run Volatility, specifying custom profile, and point at the AVML memory capture:
./vol.py --info | more (verify profile is available)
./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]

#Forensics #DigitalForensics #DFIR #ComputerForensics #LinuxForensics #MemoryForensics