Linux Memory Grabber: automating Linux memory capture and analysis
Linux Memory Grabber
A script for dumping Linux memory and creating Volatility(TM) profiles.
To analyze Linux memory, you first need to be able to capture Linux memory. AVML works great, but if your system doesn’t have /proc/kcore or /dev/crash then you will need Joe Sylve’s Linux Memory Extractor (LiME). But you need to have a LiME module compiled for the kernel of the system where you want to grab RAM.
Volatility(TM) is great at analyzing Linux memory images. But it needs a profile that matches the system where the memory was captured. Building a profile means compiling a C program on the appropriate system and using dwarfdump to get the addresses of important kernel data structures. You also need a copy of the System.map file from the /boot directory.
Now if you happen to have a duplicate of your target system, you can build the Volatility(TM) profile on the clone and if necessary build LiME to capture and analyze memory from your target. But there are many situations where a duplicate of your target system is not available. So you may have to build your Volatility(TM) profile and LiME on your target machine.
And this is not for the faint of heart. There are a number of steps, and some fairly low-level Linux commands involved. My goal was to create a package that could be installed (by an expert) on a thumb drive and distributed to agents in the field. The user of the thumb drive should be able to plug the thumb drive in, run a single command, and successfully acquire a memory image of the target machine and a working Volatility(TM) profile. The result is my lmg (Linux Memory Grabber) script.
