Top 8 Tools To Search Memory Under Linux / Unix [ Forensics Analysis ]

LiME (Linux Memory Extractor)
From the project home page:
LiME (formerly DMD) is a Loadable Kernel
Module (LKM), which allows the acquisition of
volatile memory from Linux and Linux-based
devices, such as those powered by Android.
The tool supports acquiring memory either to
the file system of the device or over the
network. LiME is unique in that it is the first
tool that allows full memory captures from
Android devices. It also minimizes its
interaction between user and kernel space
processes during acquisition, which allows it to
produce memory captures that are more
forensically sound than those of other tools
designed for Linux memory acquisition.
=> Download LiME
Draugr
From the project home page:
By using /dev/(k)mem or a memory dump,
Draugr can be used to access easily in python
to this memory, play (read, write, disassemble,
search) with it ... and can find system
information (processes ...) by different
methods. It can find kernel symbols (pattern
matching in a XML file or with
EXPORT_SYMBOL), processes (informations and
sections) (by the kernel linked list or
bruteforce) and disassemble/dump the
memory.
=> Download draugr
Volatilitux
From the project home page:
Volatilitux is pretty much the equivalent of
Volatility for Linux systems. Volatilitux
supports the following architectures for
physical memory dumps:
* ARM
* x86
* x86 with PAE enabled
It supports the following commands:
* pslist: print the list of all process
* memmap: print the memory map of a
process
* memdmp: dump the addressable memory of
a process
* filelist: print the list of all open files for a
given process
* filedmp: dump an open file
=> Download volatilitux.
Memfetch
It is a simple utility to dump all memory of a
running process, either immediately or when a
fault condition is discovered. It is an attractive
alternative to the vastly inferior search
capabilities of many debuggers and tracers -
and a convenient way to grab "screenshots"
from many types of text-based interactive
utilities. To install memfetch:
## FreeBSD ##
pkg_add -r -v memfetch
## other *nix user download it from the following url ##
wget http://lcamtuf.coredump.cx/soft/memfetch.tgz
tar xvf memfetch.tgz
cd memfetch && make
=> Download memfetch
Crash utility from Red Hat, Inc
The core analysis suite is a self-contained tool
that can be used to investigate either live
systems, kernel core dumps created from the
netdump, diskdump and kdump packages from
Red Hat Linux, the mcore kernel patch ffered
by Mission Critical Linux, or the LKCD kernel
patch. This tool can be utilized for memory
forensics. To install:
## RHEL / CentOS ##
yum install crash
## Novell / Suse / OpenSUSE ##
zypper install yast2-kdump
=> Download crash
Memgrep
A simple utility to search/replace/dump
memory from running processes and core
files. To install:
## FreeBSD ##
pkg_add -r -v memgrep
=> Download memgrep.
Memdump
This program dumps system memory to the
standard output stream, skipping over holes in
memory maps. By default, the program dumps
the contents of physical memory. This
software is distributed under the IBM Public
License. To install memdump:
## Debian / ubuntu Linux ##
sudo apt-get install memdump
## FreeBSD ##
pkg_add -r -v memdupm
See man page for usage information:
man memdupm
=> Download memdump.
foriana
It is another tool for extraction of information
such as the process and modules lists from a
RAM image using logical relations between OS
structures.
=> Download foriana
If you have any other tips and tools you'd like
to add, please share them in the comments
below!

Links
http://code.google.com/p/lime-forensics/

http://code.google.com/p/draugr/

http://code.google.com/p/volatilitux/

http://lcamtuf.coredump.cx/

http://people.redhat.com/anderson/

http://hysteria.sk/~niekt0/foriana/

Posted via Blogaway