-
See also MemProcFS The forensic memory framework Volatility (Version 3 since 2019) offers a wide range of methods to analyse memory. See the blog post Retrieving memory for methods and techniques to obtain memory. Start by getting general information about a memory dump: volatility -f image.mem imageinfo Now use the following commands to get more information:…
-
Afterwards: See Analyzing memory Linux Prozess memory dump Find out which memory segments are used by an application via its PID: cat /proc/<pid>/maps Dump the used memory from an application: (credit) #!/bin/bash grep rw-p /proc/$1/maps \ | sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \ | while read start stop; do \ gdb --batch --pid $1 -ex \…