Live Memory Analysis Tools and Techniques in Linux Environment
Abstract:
Live memory analysis on the Linux based system has never been easier in the past. Analysts always had to take traditional approach which involved multiple stages before even begin the investigation. Taking the snapshot of the whole disk or the memory, shutting down the compromised machine and then investigate the memory in the lab were few steps an analyst must had to follow in a traditional approach, which has a high risk of losing potential data as killing the machine not only end all the processes but also alter many programs behavior which can mislead the investigator. On the other hand, capturing a memory’s live state can be very crucial for forensic investigators as it contains all the running processes, file, directory information, recent activity details, session details and the user activity related information.
Apart From post investigation issue, there has been limited work done in Linux memory forensic analysis compare to windows. Live memory analysis requires precise understanding about the complex “struct layout” information in memory and how memory store data. It also involves multiple steps to carry out to analyze and extract the valuable evidence. Looking for the clues and tracing the suspicious activity in the memory can be a slow and steady task if traditional approach is taken and one doesn’t know which tools to use and what techniques can retrieve information fast and in a sufficient manner. Though there are many Linux based forensic investigation tools but only few of them are focused on memory analysis, among them many are outdated. Open source ones are either not properly documented or the documents mismatch the current available version.
Read Full Article...
Copyright TechForing Ltd.