SlideShare a Scribd company logo

(120513) #fitalk an introduction to linux memory forensics

INSIGHT FORENSIC
INSIGHT FORENSIC

This document discusses Linux memory forensics and provides an overview of tools and techniques for acquiring and analyzing memory images. It begins with an introduction to live forensics and lists common Linux commands for gathering system information. The document then covers memory forensics, describing how to access physical memory and dump it to a disk image using tools like fmem and LiME. It also introduces tools for parsing memory dumps, such as Foriana and Volatilitux, and discusses commercial forensic solutions.

Technology
1 of 20
Download to read offline
FORENSIC INSIGHT SEMINAR An Introduction to Linux Memory Forensics proneer http://forensic-proof.com Security is a people problem… JK Kim
forensicinsight.org Page 2 / 20 Outline 1. Live Forensics 2. Memory Forensics
forensicinsight.org Page 3 / 20 Live Forensics
forensicinsight.org Page 4 / 20 Live Forensics  Storage/Partition/File System Information • fdisk –l • cat /proc/scsi/scsi • cat /proc/ide • cat /proc/diskstats • cat /proc/partitions • df -h  Mudules • cat /proc/modules • lsmod Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 5 / 20 Live Forensics  System Information • uname –a • uptime • cat /proc/version • cat /proc/cpuinfo  Installed Software • dpkg --get-selections, • cat /var/log/dpkg.log Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 6 / 20 Live Forensics  Process Status • ps -elf  Scheduling, Start programs • cat /etc/crontab • ls /etc/init.d/*  Routing Table • netstat –rn  Network Interface, Hosts • ifconfig -a • cat /etc/hosts Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 7 / 20 Live Forensics  ARP Table • arp -a  Network Status • netstat -anp  Open Files & Sockets • lsof –i -P –n  Recent Command • cat bash_history Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 8 / 20 Live Forensics  Account • cat /etc/passwd • cat /etc/shadow • cat /etc/group  User Activity • w • finger –lmsp • Last  Boot Message • dmesg Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 9 / 20 Live Forensics  Print Queues • /var/spool/lpd/lp/*  Run Level • runlevel  Swap Partition • cat /proc/swaps Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 10 / 20 Live Forensics  Memory Information • cat /proc/meminfo • cat /proc/<pid>/maps • cat /proc/iomem • cat /proc/slabinfo • cat /proc/vmallocinfo • cat /proc/vmstat • vmstat Live LISTs (aimed at Ubuntu)
forensicinsight.org Page 11 / 20 Memory Forensics
forensicinsight.org Page 12 / 20 Memory Forensics  System Memory • /dev/mem  It have limits to access whole physical memory area.  Kernel Memory • /dev/kmem Targets
forensicinsight.org Page 13 / 20 Memory Forensics  fmem (http://hysteria.sk/~niekt0/foriana/fmem_current.tgz) • fmem is LKM(Linux Kernel Module) to access /dev/fmem without limitations. • The tool behave direct access to physical memory similarly /dev/mem. • The physical memory can be copied using dd-like tools.  LiME (http://code.google.com/p/lime-forensics/) • LiME is LKM(Linux Kernel Module) to acquire volatile memory. • The tools also supports acquiring Android and dumping over the network.  Second Look®: The Linux Memory Forensic Acquisition (http://secondlookforensics.com/) • This tool is commercial forensic solution with modified crash driver and a script dumping memory using driver. Memory Dump Tools
forensicinsight.org Page 14 / 20 Memory Forensics  fmem (http://hysteria.sk/~niekt0/foriana/fmem_current.tgz) 1. wget http://hysteria.sk/~niekt0/foriana/fmem_current.tgz 2. tar –xvf fmem_current.tgz 3. $ make (compile) 4. $ ./run.sh ( load LKM) 5. $ dd if=/dev/fmem of=/var/tmp/fmem_dump.dd bs=1MB count… fmem root@ubuntu:/var/tmp# lsmod | grep fmem fmem 13001 0 root@ubuntu:/var/tmp# dd if=/dev/fmem of=./fmem_dump.dd bs=1MB 535+0 records in 535+0 records out 535000000 bytes (535 MB) copied, 20.8761 s, 25.6 MB/s root@ubuntu:/var/tmp# ll total 522472 -rw-r--r-- 1 root root 535000000 2012-05-12 09:32 fmem_dump.dd
forensicinsight.org Page 15 / 20 Memory Forensics  LiME (http://code.google.com/p/lime-forensics/) 1. svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime-forensics-read-only 2. $ make (compile) 3. $ insmod lime.ko path=<target dir> ( load LKM) LiME root@ubuntu:/var/tmp# ls lime.ko root@ubuntu:/var/tmp# insmod lime.ko path=/var/tmp root@ubuntu:/var/tmp# ll total 1046256 -r--r--r-- 1 root root 534708224 2012-05-12 09:42 1336840920_100000_1feeffff.pdump -r--r--r-- 1 root root 587776 2012-05-12 09:42 1336840920_10000_9f7ff.pdump -r--r--r-- 1 root root 1048576 2012-05-12 09:42 1336840920_1ff00000_1fffffff.pdump root@ubuntu:/var/tmp# lsmod | grep lime lime 12686 0 root@ubuntu:/var/tmp#
forensicinsight.org Page 16 / 20 Memory Forensics  Foriana (http://hysteria.sk/~niekt0/foriana/) • Foriana is tool for extracts such as process, modules, … from physical memory image (fmem). • Commands  --list-modules  --list-processes  --list-files  --magic-module  --magic-process  --magic-user-process  --create-process/module-pattern  --debug  … … Memory Analysis Tools
forensicinsight.org Page 17 / 20 Memory Forensics  Volatilitux (http://code.google.com/p/volatilitux/) • Volatilitux is to analyzing linux physical memory with python-based. • Supports Architectures  ARM, x86, x86 with PAE enabled • Commands  pslist, memmap, memdmp, filelist, filedmp • Tested Machines  Android 2.1  Fedora 5 and 8  Debian 5  CentOS 5  Ubuntu10.10 with and without PAE Memory Analysis Tools
forensicinsight.org Page 18 / 20 Memory Forensics  Second Look®: The Linux Memory Forensic Analysis (http://secondlookforensics.com/) • This tool is commercial forensic solution with modified crash driver and a script dumping memory using driver. Memory Analysis Tools
forensicinsight.org Page 19 / 20 Memory Forensics  In addition to that … • Volatility Framework for Linux (http://code.google.com/p/volatility/wiki/LinuxMemoryForensics) • Draugr (http://code.google.com/p/draugr/) • Read Hat Crash Utility (http://people.redhat.com/anderson/) • Idetect (http://forensic.seccure.net/) • Forensic Analysis Toolkit (FATKit) Memory Analysis Tools
forensicinsight.org Page 20 / 20 Question?

Recommended

Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
Andrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 

Recommended

Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
Andrew Case
 
Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
Andrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
Andrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Andrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
Andrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
Andrew Case
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensics
Mehedi Hasan
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internalsmukul bhardwaj
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
Gary Yeh
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
RajKumar Rampelli
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Linux introduction
Linux introductionLinux introduction
Linux introductionAbhishek Khune
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
Bioinformatics and Computational Biosciences Branch
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tspPradeep Kumar TS
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
Priyank Kapadia
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Source Conference
 
linux device driver
linux device driverlinux device driver
linux device driver
Rahul Batra
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
Emertxe Information Technologies Pvt Ltd
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
Morteza Nourelahi Alamdari
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
Ganesh Naik
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
guest547d74
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
Divye Kapoor
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
abinaya m
 
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live Forensics
Rob Zirnstein
 

More Related Content

What's hot

Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
Andrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
Andrew Case
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensics
Mehedi Hasan
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
Andrew Case
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
Gary Yeh
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
RajKumar Rampelli
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseTakahiro Haruyama
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
Priyank Kapadia
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Source Conference
 
linux device driver
linux device driverlinux device driver
linux device driver
Rahul Batra
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
Emertxe Information Technologies Pvt Ltd
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
Morteza Nourelahi Alamdari
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
Ganesh Naik
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
guest547d74
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
Divye Kapoor
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
abinaya m
 

What's hot (20)

Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
Live memory forensics
Live memory forensicsLive memory forensics
Live memory forensics
 
Basic Linux Internals
Basic Linux InternalsBasic Linux Internals
Basic Linux Internals
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
Linux Char Device Driver
Linux Char Device DriverLinux Char Device Driver
Linux Char Device Driver
 
Linux Kernel I/O Schedulers
Linux Kernel I/O SchedulersLinux Kernel I/O Schedulers
Linux Kernel I/O Schedulers
 
Windows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCaseWindows Memory Forensic Analysis using EnCase
Windows Memory Forensic Analysis using EnCase
 
Linux introduction
Linux introductionLinux introduction
Linux introduction
 
Introduction to UNIX
Introduction to UNIXIntroduction to UNIX
Introduction to UNIX
 
Device drivers tsp
Device drivers tspDevice drivers tsp
Device drivers tsp
 
Linux Kernel Development
Linux Kernel DevelopmentLinux Kernel Development
Linux Kernel Development
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
linux device driver
linux device driverlinux device driver
linux device driver
 
File systems for Embedded Linux
File systems for Embedded LinuxFile systems for Embedded Linux
File systems for Embedded Linux
 
Basic Linux kernel
Basic Linux kernelBasic Linux kernel
Basic Linux kernel
 
Ganesh naik linux_kernel_internals
Ganesh naik linux_kernel_internalsGanesh naik linux_kernel_internals
Ganesh naik linux_kernel_internals
 
Architecture Of The Linux Kernel
Architecture Of The Linux KernelArchitecture Of The Linux Kernel
Architecture Of The Linux Kernel
 
The Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOsThe Linux Kernel Implementation of Pipes and FIFOs
The Linux Kernel Implementation of Pipes and FIFOs
 
Lec 10-linux-review
Lec 10-linux-reviewLec 10-linux-review
Lec 10-linux-review
 

Viewers also liked

Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityJoe Sylve
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live Forensics
Rob Zirnstein
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_ysk
ysk256
 
Linux memorymanagement
Linux memorymanagementLinux memorymanagement
Linux memorymanagement
pradeepelinux
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
Rhydham Joshi
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
SeongJae Park
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
Suvendu Kumar Dash
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
sonickun
 
Linux memory-management-kamal
Linux memory-management-kamalLinux memory-management-kamal
Linux memory-management-kamal
Kamal Maiti
 
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud TrainingLinux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
ChinaNetCloud
 
Linux memory consumption
Linux memory consumptionLinux memory consumption
Linux memory consumption
haish
 
Christo kutrovsky oracle, memory & linux
Christo kutrovsky oracle, memory & linuxChristo kutrovsky oracle, memory & linux
Christo kutrovsky oracle, memory & linuxKyle Hailey
 
Process' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxProcess' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxVarun Mahajan
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Crypto
trmr
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory ManagementNi Zo-Ma
 
Memory management in Linux
Memory management in LinuxMemory management in Linux
Memory management in Linux
Raghu Udiyar
 

Viewers also liked (18)

Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and VolatilityAndroid Mind Reading: Android Live Memory Analysis with LiME and Volatility
Android Mind Reading: Android Live Memory Analysis with LiME and Volatility
 
Dark Data In Live Forensics
Dark Data In Live ForensicsDark Data In Live Forensics
Dark Data In Live Forensics
 
Memory forensics and incident response
Memory forensics and incident responseMemory forensics and incident response
Memory forensics and incident response
 
katagaitaictf7_hw_ysk
katagaitaictf7_hw_yskkatagaitaictf7_hw_ysk
katagaitaictf7_hw_ysk
 
Linux memorymanagement
Linux memorymanagementLinux memorymanagement
Linux memorymanagement
 
REMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of ArtifactsREMnux tutorial-2: Extraction and decoding of Artifacts
REMnux tutorial-2: Extraction and decoding of Artifacts
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
 
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
katagaitai CTF 勉強会 #5 -関東 |med おまけ問題 Parlor (Plaid CTF 2014) @m1z0r3勉強会
 
Linux memory-management-kamal
Linux memory-management-kamalLinux memory-management-kamal
Linux memory-management-kamal
 
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud TrainingLinux Memory Basics for SysAdmins - ChinaNetCloud Training
Linux Memory Basics for SysAdmins - ChinaNetCloud Training
 
Linux memory consumption
Linux memory consumptionLinux memory consumption
Linux memory consumption
 
Christo kutrovsky oracle, memory & linux
Christo kutrovsky oracle, memory & linuxChristo kutrovsky oracle, memory & linux
Christo kutrovsky oracle, memory & linux
 
Process' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/LinuxProcess' Virtual Address Space in GNU/Linux
Process' Virtual Address Space in GNU/Linux
 
katagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Cryptokatagaitai CTF勉強会 #5 Crypto
katagaitai CTF勉強会 #5 Crypto
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
 
Memory management in Linux
Memory management in LinuxMemory management in Linux
Memory management in Linux
 

Similar to (120513) #fitalk an introduction to linux memory forensics

Hpc4 linux advanced
Hpc4 linux advancedHpc4 linux advanced
Hpc4 linux advanced
Mohammad Reza Gerami
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesPhil Hagen
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
Ishan A B Ambanwela
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
Jeff Beley
 
Cd rom mounting cdro-ms on solaris
Cd rom mounting cdro-ms on solarisCd rom mounting cdro-ms on solaris
Cd rom mounting cdro-ms on solarisBui Van Cuong
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
QUONTRASOLUTIONS
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
APNIC
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
Andrew Case
 
101 4.2 maintain the integrity of filesystems
101 4.2 maintain the integrity of filesystems101 4.2 maintain the integrity of filesystems
101 4.2 maintain the integrity of filesystemsAcácio Oliveira
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)
Ata Rehman
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
Gábor Nyers
 
Android memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdfAndroid memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdf
VishalKumarJha10
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
Gol D Roger
 
Docker
DockerDocker
Docker
Chen Chun
 

Similar to (120513) #fitalk an introduction to linux memory forensics (20)

File000127
File000127File000127
File000127
 
Hpc4 linux advanced
Hpc4 linux advancedHpc4 linux advanced
Hpc4 linux advanced
 
Ch12 system administration
Ch12 system administration Ch12 system administration
Ch12 system administration
 
File000173
File000173File000173
File000173
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
visagie_freebsd
visagie_freebsdvisagie_freebsd
visagie_freebsd
 
Unix 3 en
Unix 3 enUnix 3 en
Unix 3 en
 
Disk forensics for the lazy and the smart
Disk forensics for the lazy and the smartDisk forensics for the lazy and the smart
Disk forensics for the lazy and the smart
 
Cd rom mounting cdro-ms on solaris
Cd rom mounting cdro-ms on solarisCd rom mounting cdro-ms on solaris
Cd rom mounting cdro-ms on solaris
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra Solutions
 
RenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypotsRenasCON 2023: Learning from honeypots
RenasCON 2023: Learning from honeypots
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
101 4.2 maintain the integrity of filesystems
101 4.2 maintain the integrity of filesystems101 4.2 maintain the integrity of filesystems
101 4.2 maintain the integrity of filesystems
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
Android memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdfAndroid memory analysis Debug slides.pdf
Android memory analysis Debug slides.pdf
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Docker
DockerDocker
Docker
 

More from INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
INSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
INSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
INSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
INSIGHT FORENSIC
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
INSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
INSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
INSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
INSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
INSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 

Recently uploaded

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 

Recently uploaded (20)

Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 

(120513) #fitalk an introduction to linux memory forensics

  • 1. FORENSIC INSIGHT SEMINAR An Introduction to Linux Memory Forensics proneer http://forensic-proof.com Security is a people problem… JK Kim
  • 2. forensicinsight.org Page 2 / 20 Outline 1. Live Forensics 2. Memory Forensics
  • 3. forensicinsight.org Page 3 / 20 Live Forensics
  • 4. forensicinsight.org Page 4 / 20 Live Forensics  Storage/Partition/File System Information • fdisk –l • cat /proc/scsi/scsi • cat /proc/ide • cat /proc/diskstats • cat /proc/partitions • df -h  Mudules • cat /proc/modules • lsmod Live LISTs (aimed at Ubuntu)
  • 5. forensicinsight.org Page 5 / 20 Live Forensics  System Information • uname –a • uptime • cat /proc/version • cat /proc/cpuinfo  Installed Software • dpkg --get-selections, • cat /var/log/dpkg.log Live LISTs (aimed at Ubuntu)
  • 6. forensicinsight.org Page 6 / 20 Live Forensics  Process Status • ps -elf  Scheduling, Start programs • cat /etc/crontab • ls /etc/init.d/*  Routing Table • netstat –rn  Network Interface, Hosts • ifconfig -a • cat /etc/hosts Live LISTs (aimed at Ubuntu)
  • 7. forensicinsight.org Page 7 / 20 Live Forensics  ARP Table • arp -a  Network Status • netstat -anp  Open Files & Sockets • lsof –i -P –n  Recent Command • cat bash_history Live LISTs (aimed at Ubuntu)
  • 8. forensicinsight.org Page 8 / 20 Live Forensics  Account • cat /etc/passwd • cat /etc/shadow • cat /etc/group  User Activity • w • finger –lmsp • Last  Boot Message • dmesg Live LISTs (aimed at Ubuntu)
  • 9. forensicinsight.org Page 9 / 20 Live Forensics  Print Queues • /var/spool/lpd/lp/*  Run Level • runlevel  Swap Partition • cat /proc/swaps Live LISTs (aimed at Ubuntu)
  • 10. forensicinsight.org Page 10 / 20 Live Forensics  Memory Information • cat /proc/meminfo • cat /proc/<pid>/maps • cat /proc/iomem • cat /proc/slabinfo • cat /proc/vmallocinfo • cat /proc/vmstat • vmstat Live LISTs (aimed at Ubuntu)
  • 11. forensicinsight.org Page 11 / 20 Memory Forensics
  • 12. forensicinsight.org Page 12 / 20 Memory Forensics  System Memory • /dev/mem  It have limits to access whole physical memory area.  Kernel Memory • /dev/kmem Targets
  • 13. forensicinsight.org Page 13 / 20 Memory Forensics  fmem (http://hysteria.sk/~niekt0/foriana/fmem_current.tgz) • fmem is LKM(Linux Kernel Module) to access /dev/fmem without limitations. • The tool behave direct access to physical memory similarly /dev/mem. • The physical memory can be copied using dd-like tools.  LiME (http://code.google.com/p/lime-forensics/) • LiME is LKM(Linux Kernel Module) to acquire volatile memory. • The tools also supports acquiring Android and dumping over the network.  Second Look®: The Linux Memory Forensic Acquisition (http://secondlookforensics.com/) • This tool is commercial forensic solution with modified crash driver and a script dumping memory using driver. Memory Dump Tools
  • 14. forensicinsight.org Page 14 / 20 Memory Forensics  fmem (http://hysteria.sk/~niekt0/foriana/fmem_current.tgz) 1. wget http://hysteria.sk/~niekt0/foriana/fmem_current.tgz 2. tar –xvf fmem_current.tgz 3. $ make (compile) 4. $ ./run.sh ( load LKM) 5. $ dd if=/dev/fmem of=/var/tmp/fmem_dump.dd bs=1MB count… fmem root@ubuntu:/var/tmp# lsmod | grep fmem fmem 13001 0 root@ubuntu:/var/tmp# dd if=/dev/fmem of=./fmem_dump.dd bs=1MB 535+0 records in 535+0 records out 535000000 bytes (535 MB) copied, 20.8761 s, 25.6 MB/s root@ubuntu:/var/tmp# ll total 522472 -rw-r--r-- 1 root root 535000000 2012-05-12 09:32 fmem_dump.dd
  • 15. forensicinsight.org Page 15 / 20 Memory Forensics  LiME (http://code.google.com/p/lime-forensics/) 1. svn checkout http://lime-forensics.googlecode.com/svn/trunk/ lime-forensics-read-only 2. $ make (compile) 3. $ insmod lime.ko path=<target dir> ( load LKM) LiME root@ubuntu:/var/tmp# ls lime.ko root@ubuntu:/var/tmp# insmod lime.ko path=/var/tmp root@ubuntu:/var/tmp# ll total 1046256 -r--r--r-- 1 root root 534708224 2012-05-12 09:42 1336840920_100000_1feeffff.pdump -r--r--r-- 1 root root 587776 2012-05-12 09:42 1336840920_10000_9f7ff.pdump -r--r--r-- 1 root root 1048576 2012-05-12 09:42 1336840920_1ff00000_1fffffff.pdump root@ubuntu:/var/tmp# lsmod | grep lime lime 12686 0 root@ubuntu:/var/tmp#
  • 16. forensicinsight.org Page 16 / 20 Memory Forensics  Foriana (http://hysteria.sk/~niekt0/foriana/) • Foriana is tool for extracts such as process, modules, … from physical memory image (fmem). • Commands  --list-modules  --list-processes  --list-files  --magic-module  --magic-process  --magic-user-process  --create-process/module-pattern  --debug  … … Memory Analysis Tools
  • 17. forensicinsight.org Page 17 / 20 Memory Forensics  Volatilitux (http://code.google.com/p/volatilitux/) • Volatilitux is to analyzing linux physical memory with python-based. • Supports Architectures  ARM, x86, x86 with PAE enabled • Commands  pslist, memmap, memdmp, filelist, filedmp • Tested Machines  Android 2.1  Fedora 5 and 8  Debian 5  CentOS 5  Ubuntu10.10 with and without PAE Memory Analysis Tools
  • 18. forensicinsight.org Page 18 / 20 Memory Forensics  Second Look®: The Linux Memory Forensic Analysis (http://secondlookforensics.com/) • This tool is commercial forensic solution with modified crash driver and a script dumping memory using driver. Memory Analysis Tools
  • 19. forensicinsight.org Page 19 / 20 Memory Forensics  In addition to that … • Volatility Framework for Linux (http://code.google.com/p/volatility/wiki/LinuxMemoryForensics) • Draugr (http://code.google.com/p/draugr/) • Read Hat Crash Utility (http://people.redhat.com/anderson/) • Idetect (http://forensic.seccure.net/) • Forensic Analysis Toolkit (FATKit) Memory Analysis Tools
  • 20. forensicinsight.org Page 20 / 20 Question?