Afterwards: See Analyzing memory
Linux
Prozess memory dump
Find out which memory segments are used by an application via its PID:
cat /proc/<pid>/maps
Dump the used memory from an application: (credit)
#!/bin/bash
grep rw-p /proc/$1/maps \
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \
| while read start stop; do \
gdb --batch --pid $1 -ex \
"dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \
done
Complete memory dump
fmem
Requires root privileges. Could be outdated and not work on newer linux machines.
- Download fmem kernel module: https://github.com/NateBrune/fmem
- make && ./run to compile and add it to the kernel
- dd if=/dev/fmem of=memory.dd bs=1MB count=512 — for 512 MB RAM. Adjust accordingly.
lime
- git clone https://github.com/504ensicsLabs/LiME
- cd src
- make
- Load the module and create the image:
- Into a local file: insmod lime-<generated-module>.ko “path=/<output-file>.mem format=lime”
- Into a remote file:
- On the victim: insmod lime-<generated-module>.ko “path=tcp:4444 format=lime”
- On the target: nc <victim-ip> 4444 > system.mem
- Creating a system profile (maybe: apt-get install dwarfdump):
- git clone https://github.com/volatilityfoundation/volatility.git
- cd volatility/tools/linux
- make
- zip <system-name>.zip module.dwarf /boot/System-map-of-current-kernel
- Copy <system-name>.zip to the target server.
- On the target server:
- Copy <system-name>.zip into the plugins/overlays/linux/ directory.
- Make sure that the new profile is loaded with python vol.py –info | grep <system-name>
Recall
Framework for memory investigation: https://github.com/google/rekall
Cheat sheet: https://digital-forensics.sans.org/media/rekall-memory-forensics-cheatsheet.pdf
Couldn’t build on a Vm. hm…
Windows
Files, which also contains memory:
- C:\pagefile.sys
- C:\swapfile.sys
- C:\hiberfil.sys
- C:\Windows\memory.dmp
WinPmem
Open Source pyhsical acquisition.
GitHub — Velocidex/WinPmem: The multi-platform memory acquisition tool.
Leave a Reply
You must be logged in to post a comment.