Abstract
Memory forensics plays an important role in security and forensic investigations. Hence, numerous studies have investigated Windows memory forensics, and considerable progress has been made. In contrast, research on Linux memory forensics is relatively sparse, and the current knowledge does not meet the requirements of forensic investigators. Existing solutions are not especially sophisticated, and their complicated operation and limited treatment range are unsatisfactory. This paper describes an adaptive approach for Linux memory analysis that can automatically identify the kernel version and recovery symbol information from an image. In particular, given a memory image or a memory snapshot without any additional information, the proposed technique can automatically reconstruct the kernel code, identify the kernel version, recover symbol table files, and extract live system information. Experimental results indicate that our method runs satisfactorily across a wide range of operating system versions.
Highlights
The physical memory of a computer is highly useful but can be a challenging resource for the collection of digital evidence
We examine the performance of RAMAnalyzer on various recent Linux kernels, and show that it is an adaptive solution for the Linux memory analysis problem
4 Research methodology we describe the detailed processes of kernel version identification, kallsyms location symbol values recovery, symbol table file recovery, and live system information extraction
Summary
The physical memory of a computer is highly useful but can be a challenging resource for the collection of digital evidence. Physical memory may first appear to be a large, amorphous, and unstructured collection of data. By examining a memory image, we can extract details of volatile data, such as running processes, logged-in users, current network connections, users’ sessions, drivers, and open files. Criminals tend to avoid leaving any evidence in a computer’s persistent storage, it is extremely hard for them to completely remove their footprints from the memory. Physical memory is the only place where evidence can be found. In a computer operating system (OS) that boots and runs completely from CD-ROM, most of the valuable information exists in the physical memory of the computer. Given a Linux kernel, we need to know its major version (e.g., 2.6 or 3.10), and its minor version because the symbol’s information and data structures of various Linux kernels are different
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
