Two years ago, I worked about Live memory forensics on Linux because I could not find anything about memory forensics on Linux. Currently, you can't find usefull tools (and so information) into a raw dump of linux kernel memory, like /dev/kmem, /dev/mem, /proc/kcore or a physical dump (ie: with firewire). Even if with volatile system it's possible to extract information but you must have patched your kernel before ......
That's why I released last year a tool called draugr in python. This tool was designed to work for x86 architecture. I have provided very few documentations, expect the source code, but you can find information in videos and the description in my slides.
Last week, Emilien Girault released Volatilitux which is easier to use, and supports ARM architecture !
It's still one more tool, and now, we need one project to create a tool about kernel memory forensics for unix systems, or to integrate all these works in Volatile Systems.
So if people are ready to work on this subject, I would joined the forces ;)
No comments:
Post a Comment