Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question Guidance for Cyber Forensics project in Linux

    Hi there!

    I am a Post Graduate student doing my final year project in the field of memory forensics. I have been trying to extract digital evidence from the RAM dump of a Windows system and have been successful, so far.
    I would like to do something similar on the Linux platform. Is there any suggestion as to what relevant evidence could be collected from the volatile memory of a Linux system? Could anyone suggest anything interesting and relevant for a final year project?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Memory is easy to access in linux, as long as you are root, or have root sudo privileges. From the "mem" man page:
    man mem
    MEM(4)                     Linux Programmer’s Manual                    MEM(4)
           mem, kmem, port - system memory, kernel memory and system ports
           mem  is a character device file that is an image of the main memory of the computer.  It may be used, for exam-
           ple, to examine (and even patch) the system.
           Byte addresses in mem are interpreted as physical memory addresses.  References to nonexistent locations  cause
           errors to be returned.
           Examining and patching is likely to lead to unexpected results when read-only or write-only bits are present.
           It is typically created by:
                  mknod -m 660 /dev/mem c 1 1
                  chown root:kmem /dev/mem
           The  file  kmem  is  the  same  as  mem,  except  that the kernel virtual memory rather than physical memory is
           It is typically created by:
                  mknod -m 640 /dev/kmem c 1 2
                  chown root:kmem /dev/kmem
           port is similar to mem, but the I/O ports are accessed.
           It is typically created by:
                  mknod -m 660 /dev/port c 1 4
                  chown root:mem /dev/port
           chown(1), mknod(1), ioperm(2)
           This page is part of release 3.22 of the Linux man-pages project.  A description of the project,  and  informa-
           tion about reporting bugs, can be found at
    Linux                             1992-11-21                            MEM(4)
    Anyway, you access main memory via the device/file id /dev/mem.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3


    Thanks for the reply, Rubberman. This gave me a starting point for further analysis.

    Also, After some search in the internet, I found that various tools have been used for listing out information like running processes and network connections from a linux dump. So, I am thinking on those lines now...

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts