Thursday, January 1, 2015

Top 8 Tools To Search Memory Under Linux / Unix [ Forensics Analysis ]

You can dump Linux or Unix server memory. This is useful for forensics analysis, and testing your own system. This is often desirable to see:
  • What code and what data actually resides in memory.
  • You can search for specific pids memory.
  • Search memory for string and other data such as passwords.
  • Works as add-on tool for gdb and others.
  • Search/replace/dump memory from running processes and core files.
  • All kinds of deep hacking activities that simply saves your time and solve problems.

LiME (Linux Memory Extractor)

From the project home page:
LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

Draugr

From the project home page:
By using /dev/(k)mem or a memory dump, Draugr can be used to access easily in python to this memory, play (read, write, disassemble, search) with it ... and can find system information (processes ...) by different methods. It can find kernel symbols (pattern matching in a XML file or with EXPORT_SYMBOL), processes (informations and sections) (by the kernel linked list or bruteforce) and disassemble/dump the memory.

Volatilitux

From the project home page:
Volatilitux is pretty much the equivalent of Volatility for Linux systems. Volatilitux supports the following architectures for physical memory dumps:
* ARM
* x86
* x86 with PAE enabled
It supports the following commands:
* pslist: print the list of all process
* memmap: print the memory map of a process
* memdmp: dump the addressable memory of a process
* filelist: print the list of all open files for a given process
* filedmp: dump an open file

Memfetch

It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers - and a convenient way to grab "screenshots" from many types of text-based interactive utilities. To install memfetch:
## FreeBSD ##
pkg_add -r -v memfetch
 
## other *nix user download it from the following url ##
wget http://lcamtuf.coredump.cx/soft/memfetch.tgz
tar xvf memfetch.tgz
cd memfetch && make
 

Crash utility from Red Hat, Inc

The core analysis suite is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from the netdump, diskdump and kdump packages from Red Hat Linux, the mcore kernel patch ffered by Mission Critical Linux, or the LKCD kernel patch. This tool can be utilized for memory forensics. To install:
## RHEL / CentOS ##
yum install crash
 
## Novell / Suse / OpenSUSE ##
zypper install yast2-kdump

Memgrep

A simple utility to search/replace/dump memory from running processes and core files. To install:
## FreeBSD ##
pkg_add -r -v memgrep
 

Memdump

This program dumps system memory to the standard output stream, skipping over holes in memory maps. By default, the program dumps the contents of physical memory. This software is distributed under the IBM Public License. To install memdump:
## Debian / ubuntu Linux ##
sudo apt-get install memdump
## FreeBSD ##
pkg_add -r -v memdupm
 
See man page for usage information:
man memdupm
=> Download memdump.

foriana

It is another tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.
If you have any other tips and tools you'd like to add, please share them in the comments below!

http://www.cyberciti.biz/programming/linux-memory-forensics-analysis-tools/

No comments: