Find the answer to your Linux question:
Results 1 to 3 of 3
Hi there! I am a Post Graduate student doing my final year project in the field of memory forensics. I have been trying to extract digital evidence from the RAM ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    ssv
    ssv is offline
    Just Joined!
    Join Date
    Dec 2011
    Posts
    2

    Question Guidance for Cyber Forensics project in Linux


    Hi there!

    I am a Post Graduate student doing my final year project in the field of memory forensics. I have been trying to extract digital evidence from the RAM dump of a Windows system and have been successful, so far.
    I would like to do something similar on the Linux platform. Is there any suggestion as to what relevant evidence could be collected from the volatile memory of a Linux system? Could anyone suggest anything interesting and relevant for a final year project?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,517
    Memory is easy to access in linux, as long as you are root, or have root sudo privileges. From the "mem" man page:
    Code:
    man mem
    
    
    MEM(4)                     Linux Programmer’s Manual                    MEM(4)
    
    NAME
           mem, kmem, port - system memory, kernel memory and system ports
    
    DESCRIPTION
           mem  is a character device file that is an image of the main memory of the computer.  It may be used, for exam-
           ple, to examine (and even patch) the system.
    
           Byte addresses in mem are interpreted as physical memory addresses.  References to nonexistent locations  cause
           errors to be returned.
    
           Examining and patching is likely to lead to unexpected results when read-only or write-only bits are present.
    
           It is typically created by:
    
                  mknod -m 660 /dev/mem c 1 1
                  chown root:kmem /dev/mem
    
           The  file  kmem  is  the  same  as  mem,  except  that the kernel virtual memory rather than physical memory is
           accessed.
    
           It is typically created by:
    
                  mknod -m 640 /dev/kmem c 1 2
                  chown root:kmem /dev/kmem
    
           port is similar to mem, but the I/O ports are accessed.
    
           It is typically created by:
    
                  mknod -m 660 /dev/port c 1 4
                  chown root:mem /dev/port
    
    FILES
           /dev/mem
           /dev/kmem
           /dev/port
    
    SEE ALSO
           chown(1), mknod(1), ioperm(2)
    
    COLOPHON
           This page is part of release 3.22 of the Linux man-pages project.  A description of the project,  and  informa-
           tion about reporting bugs, can be found at http://www.kernel.org/doc/man-pages/.
    
    Linux                             1992-11-21                            MEM(4)
    Anyway, you access main memory via the device/file id /dev/mem.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    ssv
    ssv is offline
    Just Joined!
    Join Date
    Dec 2011
    Posts
    2

    Lightbulb

    Thanks for the reply, Rubberman. This gave me a starting point for further analysis.

    Also, After some search in the internet, I found that various tools have been used for listing out information like running processes and network connections from a linux dump. So, I am thinking on those lines now...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •