For a long time now, operating systems such as Windows and MacOS have prevented user space applications from accessing the raw physical memory of the machine. Physical acquisition and virtualisation approaches aside, this has led the field to require the use of kernel drivers to export physical ram for acquisition. In the linux realm, Joe Sylve's LiME is the go-to for many.
It appears not widely known that on Linux x64, acquisition of physical memory is possible without using a driver such as LiME. The prerequisite here is that /proc/kcore is enabled, which fortunately is widely the case: Ubuntu ships with it enabled by default, as does Redhat. On x64 the full physical address space is mapped into the kernel address space, and /proc/kcore exports this as a part of its virtual ELF file view.
Fun fact: /proc/kcore is big: 128 TB.
bradley@ubuntu:~$ ls -lh /proc/kcore -r-------- 1 root root 128T Jun 8 18:44 /proc/kcore
You don't want to acquire /proc/kcore - just the relevant part.
Acquisition via this technique is something that Rekall pioneered, as far as I know (please correct me if you know better). Evimetry supports the technique in our live agent for remote acquisition. The following serves as a short howto on acquisition using currently available tools.
How to acquire: Evimetry
Copy the Evimetry linux liveagent (x64) onto the suspect Linux host, along with its security certificates. Run the agent with the IP address of a Controller or a Dead Boot or Cloud agent as the destination:
root@ubuntu:~# ./evimetry.agent 192.168.189.1 Evimetry Lightweight Agent v3.0.8, a lightweight forensic acquisition agent. Application IP Address: 192.168.189.207 Application IP Address: fe80::20c:29ff:fed7:3540 Application MAC Address: 00:0c:29:d7:35:40 Memory Size: 971.6MiB Memory Allocation Alignment Size: 4096 Runnable IO threads: 1 Starting device enumeration Exported devices: /dev/sda [20.0GiB] : VMware_Virtual_S /dev/sda1 (ext4) [19.0GiB] / /dev/sda2 (unknown) [975.0MiB] /dev/sda5 (swap) [975.0MiB] /dev/sr0 [1024.0MiB] : VMware_Virtual_SATA_CDRW_Drive No medium found /dev/sr1 [1024.0MiB] : VMware_Virtual_SATA_CDRW_Drive No medium found /dev/fd0 [4.0KiB] : Unknown Model No such device or address Insufficient privileges to access device! Checking Memory Map setup. Memory Description: [971.6MiB / 4.0GiB] Checking Certificate setup. Secure Communications Enabled Starting Fabric Manager Attempting Fabric Connection
Using the attached Evimetry Controler, acquisition is a simple GUI operation.
This works fine for both old pre-KASLR kernels as well as newer KASLR kernels (the above was for a Ubuntu 14.04.4 x64 VM. More information is available from the following walkthrough.
How to acquire: linpmem
Using the most recent released version of linpmem (2.1post4) from the releases page, I was able to acquire an image of a Ubuntu 14.04.1 VM with the following command.
root@ubuntu:~# ./linpmem-2.1.post4 --format map -c snappy -o image.aff4 Setting compression snappy Imaging memory Creating output AFF4 ZipFile. Reading 0x8000 0MiB / 1023MiB 0MiB/s Reading 0x3940000 57MiB / 1023MiB 227MiB/s Reading 0x6068000 96MiB / 1023MiB 156MiB/s <snip> Reading 0x351d0000 849MiB / 1023MiB 247MiB/s Reading 0x393f0000 915MiB / 1023MiB 264MiB/s Reading 0x3df38000 991MiB / 1023MiB 300MiB/s Adding /boot/System.map-4.4.0-31-generic as file:///boot/System.map-4.4.0-31-generic Adding /boot/abi-4.4.0-31-generic as file:///boot/abi-4.4.0-31-generic Adding /boot/config-4.4.0-31-generic as file:///boot/config-4.4.0-31-generic Adding /boot/grub/ as file:///boot/grub/ E0608 12:17:35.730147 4117 aff4_directory.cc:105] Unable to find storage for AFF4Directory file:///boot/grub/ E0608 12:17:35.730480 4117 aff4_imager_utils.cc:259] Unable to find file:///boot/grub/ Adding /boot/initrd.img-4.4.0-31-generic as file:///boot/initrd.img-4.4.0-31-generic Reading 0x8000 0MiB / 30MiB 0MiB/s Adding /boot/vmlinuz-4.4.0-31-generic as file:///boot/vmlinuz-4.4.0-31-generic
CAVEAT: The most recent release of linpmem (linpmem-2.1.post4) failed for the Ubuntu 14.04.4 VM I tested. See github issue.
How to analyse
My next post will describe how to analyse the images created above.