Find the answer to your Linux question:
Results 1 to 3 of 3
Hi there! I am a Post Graduate student doing my final year project in the field of memory forensics. I have been trying to extract digital evidence from the RAM ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 12-14-2011 #1
    ssv
    ssv is offline
    Just Joined!
    Join Date
    Dec 2011
    Posts
    2

    Question Guidance for Cyber Forensics project in Linux

    Hi there!

    I am a Post Graduate student doing my final year project in the field of memory forensics. I have been trying to extract digital evidence from the RAM dump of a Windows system and have been successful, so far.
    I would like to do something similar on the Linux platform. Is there any suggestion as to what relevant evidence could be collected from the volatile memory of a Linux system? Could anyone suggest anything interesting and relevant for a final year project?
    Reply With Quote Reply With Quote
  2. 12-20-2011 #2
    Rubberman
    Rubberman is offline
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, or in a galaxy far, far away.
    Posts
    10,152
    Memory is easy to access in linux, as long as you are root, or have root sudo privileges. From the "mem" man page:
    Code:
    man mem


MEM(4)                     Linux Programmer’s Manual                    MEM(4)

NAME
       mem, kmem, port - system memory, kernel memory and system ports

DESCRIPTION
       mem  is a character device file that is an image of the main memory of the computer.  It may be used, for exam-
       ple, to examine (and even patch) the system.

       Byte addresses in mem are interpreted as physical memory addresses.  References to nonexistent locations  cause
       errors to be returned.

       Examining and patching is likely to lead to unexpected results when read-only or write-only bits are present.

       It is typically created by:

              mknod -m 660 /dev/mem c 1 1
              chown root:kmem /dev/mem

       The  file  kmem  is  the  same  as  mem,  except  that the kernel virtual memory rather than physical memory is
       accessed.

       It is typically created by:

              mknod -m 640 /dev/kmem c 1 2
              chown root:kmem /dev/kmem

       port is similar to mem, but the I/O ports are accessed.

       It is typically created by:

              mknod -m 660 /dev/port c 1 4
              chown root:mem /dev/port

FILES
       /dev/mem
       /dev/kmem
       /dev/port

SEE ALSO
       chown(1), mknod(1), ioperm(2)

COLOPHON
       This page is part of release 3.22 of the Linux man-pages project.  A description of the project,  and  informa-
       tion about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.

Linux                             1992-11-21                            MEM(4)
    Anyway, you access main memory via the device/file id /dev/mem.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!
    Reply With Quote Reply With Quote
  3. 12-28-2011 #3
    ssv
    ssv is offline
    Just Joined!
    Join Date
    Dec 2011
    Posts
    2

    Lightbulb

    Thanks for the reply, Rubberman. This gave me a starting point for further analysis.

    Also, After some search in the internet, I found that various tools have been used for listing out information like running processes and network connections from a linux dump. So, I am thinking on those lines now...
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules