Forensic analysis of memory on Linux
Tracing Clues
In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.
Experts agree that one of the first steps for diagnosing a potential intrusion incident is backing up a RAM image. Traditional investigations of persistent memory are no longer sufficient because, as the capacity of hard drives increases, you need to investigate a huge amount of data to detect an attack. Analysis of volatile memory can support and accelerate these investigations because forensic investigators only need to search through a comparatively small amount of data for clues relating to a successful attack. Additionally, RAM often contains important traces, such as information on running processes or active network connections.
Tapping into RAM is especially important for countering anti-forensics techniques. In some cases, it is possible to extract the passphrase for an encrypted drive from volatile memory. You can also detect non-persistent malware using RAM analysis. In targeted attacks, hackers often use malicious code that is only active in memory, and it leaves no data behind on the disk. This type of malware is virtually undetectable without analyzing volatile memory.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
US / Canada
UK / Australia
Direct Download
Read full article as PDF:
Price $2.95
News
-
KDE Plasma Developers Introduce a GNOME-Like Overview
A new overview effect makes it easier for users to interact with both Plasma Activities and Virtual Desktops.
-
Rocky Linux 8.5 Now Available with Secure Boot Support
The latest iteration of CentOS alternative, Rocky Linux has arrived and includes numerous updates as well as support for Secure Boot.
-
System76 Developing a New Desktop Environment
The makers of Pop!_OS are currently in the early stages of creating a brand new, non-GNOME, desktop environment.
-
Hetzner Opens New Location in the USA
The Hetzner cost-effective Cloud solution has arrived in the United States to offer cloud servers that offer solid performance without a high price.
-
KDE Plasma 5.24 Introduces Fingerprint Reader Support
The next release of the KDE Plasma desktop environment will include support for fingerprint readers for session authentication and more.
-
Ubuntu 21.10 Released and Finally Includes Gnome 40
The most anticipated update to Ubuntu is finally here and the workflow couldn't be better.
-
Linux Can Now Run on Apple’s M1 Chipset
Linux users looking to take advantage of Apple Silicon are about to get their wish with the M1 chipset.
-
MX Linux 21 RC Candidate Available For Testing
The MX Linux development team has released the RC images for MX Linux 21 for testing purposes.
-
Fedora 35 is Shaping Up to Be an Impressive Release
Although the beta version of Fedora’s upcoming release is behind schedule, the Linux distribution is still slotted for October and will include numerous bug fixes and some exciting new features.
-
Canonical Extends Support For Ubuntu 14.04 and 16.04
The company behind Ubuntu offered a much-needed lifeline to those who still depend on older versions of the open-source operating system.