Forensic analysis using Memory Dump

I'm in my second year in college and I've taken an Operating Systems course that has a project component.
I've been assigned Memory Forensics as my project topic.
On approaching the professor I was told that I need to attempt to attack the Linux Kernel ( I'm guessing that means I need to write a process that tries to access the Kernel space from User mode? ) and then identify the occurrence of this attack from a memory dump ( I don't know if this will happen automatically when I try to access the Kernel i.e. will the system just crash and force a memory dump? )
I've been looking up for Memory Forensics analysis tools and Volatility is one and LiMe ( Linux Memory extractor) is for creating the dump I think?
I need a sense of direction about how to proceed with this and right now I'm very confused and don't even know how to start and what to do first.
Also, I suppose I should do all of this on a Virtual Machine so I don't destroy my system?
Please do help out.
 
665
295
Put eyecatchers (unusual repeated character strings) in constants in your program, so it will be easier to find in the dump, then attempt to read a protected area of the kernel. Before running your program, start the process to capture the dump:

This is excerpted from http://www.forensicswiki.org/wiki/Tools:Memory_Imaging

Linux
LiME
Linux Memory Extractor (LiME) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports dumping memory either to the file system of the device or over the network.
Linux Memory Grabber by Hal Pomeranz
a tool to create Linux Volatility profiles and dump memory (using LiME) from an USB Key, without installation on local HDD. Very useful
/dev/crash
On Red Hat systems (and those running related distros such as Fedora or CentOS), the crash driver can be loaded to create pseudo-device /dev/crash for raw physical memory access (via command "modprobe crash"). This module can also be compiled for other Linux distributions with minor effort (see, for example, http://gleeda.blogspot.com/2009/08/devcrash-driver.html). When the crash driver is modified, compiled, and loaded on other systems, the resulting memory access device is not safe to image in its entirety. Care must be taken to avoid addresses that are not RAM-backed. On Linux, /proc/iomem exposes the correct address ranges to image, marked with "System RAM".
/dev/mem
On older Linux systems, the program dd can be used to read the contents of physical memory from the device file /dev/mem. On recent Linux systems, however, /dev/mem provides access only to a restricted range of addresses, rather than the full physical memory of a system. On other systems it may not be available at all. Throughout the 2.6 series of the Linux kernel, the trend was to reduce direct access to memory via pseudo-device files. See, for example, the message accompanying this patch: http://lwn.net/Articles/267427/.
Second Look: Linux Memory Forensics
This commercial memory forensics product ships with a modified version of the crash driver and a script for safely dumping memory using the original or modified driver on any given Linux system.
fmem
fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels. Under GNU GPL.
lmap and pmem
pmem is a loadable kernel module that exposes /dev/pmem. lmap allows to inject the pmem functionality into existing kernel modules to bypass having to build a pmem kernel module for every different kernel version.
 

Want to reply to this thread?

"Forensic analysis using Memory Dump" You must log in or register to reply here.

Physics Forums Values

We Value Quality
• Topics based on mainstream science
• Proper English grammar and spelling
We Value Civility
• Positive and compassionate attitudes
• Patience while debating
We Value Productivity
• Disciplined to remain on-topic
• Recognition of own weaknesses
• Solo and co-op problem solving
Top