Studying memory with the Volatility memory dump analyzer
Volatile Traces
© Lead Image © spleen87, photocase.com
The Volatility forensic tool helps admins analyze what went wrong on a system. When you need to draw conclusions about malware, or even compromised services, peer into memory with Volatility.
The fact that information remains in the memory of a computer for some time, even after disconnecting the power supply, is an open secret [1]. This is especially true if you press the reset button, because that does not even interrupt the power supply. If you then reboot from a minimal operating system – using a USB stick, for example – you can dump large parts of the memory without any changes, almost as if you had full access to the previously running system.
You could dig a few things out of this memory dump with on-board Linux tools like strings and grep, but a full-blown memory dump analyzer such as Volatility [2] gives you much more – and the open source project is still expanding.
When we first looked at the Volatility memory analyzer in 2008, the framework could only analyze RAM images from Windows machines [3]. Now, version 2.2 or later is also available for Linux, and the upcoming 2.3 will handle Mac OS computers and Android devices. Linux admins can look forward to a large number of new tools and programs that can extract much information from a supposedly dead machine.
[...]
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia