computer forensics, computer forensics expert, mobile phone forensics, expert witness

Inside Out

How to acquire Linux memory images using without a driver

For a long time now, operating systems such as Windows and MacOS have prevented user space applications from accessing the raw physical memory of the machine. Physical acquisition and virtualisation approaches aside, this has led the field to require the use of kernel drivers to export physical ram for acquisition. In the linux realm, Joe Sylve's LiME is the go-to for many.

It appears not widely known that on Linux x64, acquisition of physical memory is possible without using a driver such as LiME. The prerequisite here is that /proc/kcore is enabled, which fortunately is widely the case: Ubuntu ships with it enabled by default, as does Redhat. On x64 the full physical address space is mapped into the kernel address space, and /proc/kcore exports this as a part of its virtual ELF file view.

Fun fact: /proc/kcore is big: 128 TB.

bradley@ubuntu:~$ ls -lh /proc/kcore
-r-------- 1 root root 128T Jun 8 18:44 /proc/kcore

You don't want to acquire /proc/kcore - just the relevant part.

Acquisition via this technique is something that Rekall pioneered, as far as I know (please correct me if you know better). Evimetry supports the technique in our live agent for remote acquisition. The following serves as a short howto on acquisition using currently available tools.

How to acquire: Evimetry

Copy the Evimetry linux liveagent (x64) onto the suspect Linux host, along with its security certificates. Run the agent with the IP address of a Controller or a Dead Boot or Cloud agent as the destination:

root@ubuntu:~# ./evimetry.agent
Evimetry Lightweight Agent v3.0.8, a lightweight forensic acquisition agent.
Application IP Address:
Application IP Address: fe80::20c:29ff:fed7:3540
Application MAC Address: 00:0c:29:d7:35:40
Memory Size: 971.6MiB
Memory Allocation Alignment Size: 4096
Runnable IO threads: 1
Starting device enumeration
Exported devices:
/dev/sda [20.0GiB] : VMware_Virtual_S
/dev/sda1 (ext4) [19.0GiB] /
/dev/sda2 (unknown) [975.0MiB]
/dev/sda5 (swap) [975.0MiB]
/dev/sr0 [1024.0MiB] : VMware_Virtual_SATA_CDRW_Drive
No medium found
/dev/sr1 [1024.0MiB] : VMware_Virtual_SATA_CDRW_Drive
No medium found
/dev/fd0 [4.0KiB] : Unknown Model
No such device or address
Insufficient privileges to access device!
Checking Memory Map setup.
Memory Description: [971.6MiB / 4.0GiB]
Checking Certificate setup.
Secure Communications Enabled
Starting Fabric Manager
Attempting Fabric Connection

Using the attached Evimetry Controler, acquisition is a simple GUI operation.

Acquisition using Evimetry Controller & Live Agent

This works fine for both old pre-KASLR kernels as well as newer KASLR kernels (the above was for a Ubuntu 14.04.4 x64 VM. More information is available from the following walkthrough.

How to acquire: linpmem

Using the most recent released version of linpmem (2.1post4) from the releases page,  I was able to acquire an image of a Ubuntu 14.04.1 VM with the following command.

root@ubuntu:~# ./linpmem-2.1.post4 --format map -c snappy -o image.aff4
Setting compression snappy
Imaging memory
Creating output AFF4 ZipFile.
Reading 0x8000 0MiB / 1023MiB 0MiB/s
Reading 0x3940000 57MiB / 1023MiB 227MiB/s
Reading 0x6068000 96MiB / 1023MiB 156MiB/s


Reading 0x351d0000 849MiB / 1023MiB 247MiB/s
Reading 0x393f0000 915MiB / 1023MiB 264MiB/s
Reading 0x3df38000 991MiB / 1023MiB 300MiB/s
Adding /boot/ as file:///boot/
Adding /boot/abi-4.4.0-31-generic as file:///boot/abi-4.4.0-31-generic
Adding /boot/config-4.4.0-31-generic as file:///boot/config-4.4.0-31-generic
Adding /boot/grub/ as file:///boot/grub/
E0608 12:17:35.730147 4117] Unable to find storage for AFF4Directory file:///boot/grub/
E0608 12:17:35.730480 4117] Unable to find file:///boot/grub/
Adding /boot/initrd.img-4.4.0-31-generic as file:///boot/initrd.img-4.4.0-31-generic
Reading 0x8000 0MiB / 30MiB 0MiB/s
Adding /boot/vmlinuz-4.4.0-31-generic as file:///boot/vmlinuz-4.4.0-31-generic

CAVEAT: The most recent release of linpmem (linpmem-2.1.post4) failed for the Ubuntu 14.04.4 VM I tested. See github issue.

How to analyse

My next post will describe how to analyse the images created above.