Linux memory analysis
The output of a memory acquisition tool is a memory image which contains the raw physical memory of a system. A wide variety of tools can be used to search for strings or other patterns in a memory image, but to extract higher-level information about the state of the system a memory analysis tool is required.
Linux Memory Analysis Tools
Active Open Source Projects:
- The Volatility Framework is a collection of tools, implemented in Python, for the extraction of digital artifacts from volatile memory (RAM) samples. See the LinuxMemoryForensics page on the Volatility wiki. (Availability/License: GNU GPL)
- Rekall includes a Python-based analysis framework which forked from Volatility and has since added a number of features, as well as its own acquisition tools. It is usable as a library and is used as such in the GRR remote live forensics project.
- The Red Hat Crash Utility is an extensible Linux kernel core dump analysis program. Although designed as a debugging tool, it also has been utilized for memory forensics. See, for example, the 2008 DFRWS challenge write-up by AAron Walters. (Availability/License: GNU GPL)
- Forcepoint Linux Security (Second Look provides memory acquisition and analysis tools for Linux incident response and enterprise security. Its major differentiators versus Volatility are malware detection via integrity verification of the kernel, running processes, and cached files; ease of use (automatic kernel version detection, a graphical user interface, etc.); and enterprise scalability (including live analysis of remote systems via a memory access agent). (Availability/License: commercial)
Inactive Open Source and Research Projects:
- The Forensic Analysis Toolkit (FATKit) is a cross-platform, modular, and extensible digital investigation framework for analyzing volatile system memory. (Publication Date: 2006; Availability/License: not available)
- Foriana is tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures. (Availability/License: GNU GPL)
- Draugr is a Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
- Volatilitux is another Linux memory forensics tool written in Python. (Availability/License: GNU GPL)
- Idetect (Linux) http://forensic.seccure.net/ is an older implementation of Linux memory analysis.
Linux Memory Analysis Challenges
- The Digital Forensic Research Workshop 2008 Forensics Challenge focused on the development of Linux memory analysis techniques and the fusion of evidence from memory, hard disk, and network.
- Challenge SSTIC 2010 (French) dealt with analysis of physical memory from a mobile device running Android.
- Challenge 7 of the Honeynet Project's Forensic Challenge 2011 included forensic analysis of a memory image from a potentially compromised Linux server.
Linux Memory Images
Aside from those in the challenges referenced above, sample Linux memory images can also be found on the Second Look web site at http://secondlookforensics.com/images.html.
Linux Memory Analysis Bibliography
- Digital Forensics of the Physical Memory M. Burdach, March 2005.
- Linux Physical Memory Analysis, Paul Movall, Ward Nelson, Shaun Wetzstein; Usenix, 2005.
- An Analysis Of Linux RAM Forensics, J.M. Urrea, Masters Thesis, Naval Postgraduate School, 2006.
- Linux Memory Forensics for DFRWS Challenge 2008 using Volatility, Crash, and PyFlag, by AAron Walters on the Volatile Systems Blog.
- FACE: Automated digital evidence discovery and correlation, Andrew Case, Andrew Cristina, Lodovico Marziale, Golden G. Richard, Vassil Roussev, DFRWS 2008
- Linux Live Memory Forensics, a presentation by Desnos Anthony describing the implementation of draugr, 2009.
- Forensic RAM Dump Image Analyzer by Ivor Kollar, describing the implementation of foriana, 2009.
- Treasure and tragedy in kmem_cache mining for live forensics investigation by Andrew Case, Lodovico Marziale, Cris Neckar, Golden G. Richard III; Digital Investigation, Volume 7, Supplement 1, The Proceedings of the Tenth Annual DFRWS Conference, August 2010. (Presentation)
- Second Look Web Page
- De-Anonymizing Live CDs through Physical Memory Analysis (Whitepaper) (Slides) Andrew Case; Blackhat DC 2011.
- Bringing Linux Support to Volatility, Andrew Case; Digital Forensics Solutions Blog, 2011.
- Workshop - Linux Memory Analysis with Volatility (Slides) Andrew Case; Blackhat Vegas 2011.
- Forcepoint Security Labs Blog: "Horse Pill Rootkit vs. Forcepoint Threat Protection for Linux" (Second Look)
- Forcepoint Security Labs Blog: "Detecting Register-Hooking Linux Rootkits with Forcepoint Second Look"
Volatility Mailing List Threads on Support for Linux: