Forensic analysis of memory on Linux

Tracing Clues

Author(s):

In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

Experts agree that one of the first steps for diagnosing a potential intrusion incident is backing up a RAM image. Traditional investigations of persistent memory are no longer sufficient because, as the capacity of hard drives increases, you need to investigate a huge amount of data to detect an attack. Analysis of volatile memory can support and accelerate these investigations because forensic investigators only need to search through a comparatively small amount of data for clues relating to a successful attack. Additionally, RAM often contains important traces, such as information on running processes or active network connections.

Tapping into RAM is especially important for countering anti-forensics techniques. In some cases, it is possible to extract the passphrase for an encrypted drive from volatile memory. You can also detect non-persistent malware using RAM analysis. In targeted attacks, hackers often use malicious code that is only active in memory, and it leaves no data behind on the disk. This type of malware is virtually undetectable without analyzing volatile memory.

Read full article as PDF:

Price $2.95

Related content

  • Volatility 2.3

    The Volatility forensic tool helps admins analyze what went wrong on a system. When you need to draw conclusions about malware, or even compromised services, peer into memory with Volatility.

  • Security Lessons: Rescue Tools

    When attackers strike your system, you need to determine exactly what damage has been done. Here are some tools to help.

  • BackTrack and Sleuth Kit

    Once you determine a system has been attacked, boot to the BackTrack Live forensics distro and start your investigation with Sleuth Kit.

  • Code Analysis

    Linux offers some sophisticated tools for understanding how malware can slip through the gaps in an unsuspecting application.

  • Table of Contents: 149

    This month, we show you how to automate tasks in LibreOffice and give you some tools to tighten system security.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News