Register now for SANS Cyber Defense Initiative 2016 and save $400.

Chicago 2014

Chicago, IL | Sun, Aug 24 - Fri, Aug 29, 2014

Automating Linux Memory Capture for Analysis

  • Hal Pomeranz
  • Tuesday, August 26th, 7:15pm - 8:15pm

Volatility has included support for Linux memory analysis since v2.2. However, practitioners have faced two obstacles: (1) Acquiring memory from a Linux system requires building, loading, and correctly using a third-party kernel module (such as LiME) for each system encountered; and (2) Creating a system-specific volatility "profile" for each system. Even for experts, these tasks are nontrivial and error prone if performed manually. Fortunately, the Linux environment makes scripting and automation straightforward. This session presents a tool to capture actionable information from Linux systems. The tool, which has been tested and used many times, was created to be a simple, automated collection agent that can be installed on a portable USB device. The user should be able to insert the USB device into a system and execute a single command to capture the memory of the system and produce a Volatility profile for use in later analysis. This session covers the basics of Linux memory capture and Volatility profile creation as a manual process, then looks at how to install and use the tool as a portable agent. Using the Volatility framework, the session will also demonstrate some of the valuable information that can only be obtained via memory analysis.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
  • Lunch & Learn: Short presentations given during the lunch break.
Sunday, August 24
Session Speaker Time Type
General Session - Welcome to SANS Johannes Ullrich Sunday, August 24th, 8:15am - 8:45am Special Events
The Security Impact of IPv6 Johannes Ullrich Sunday, August 24th, 7:15pm - 9:15pm SANS@Night
Monday, August 25
Session Speaker Time Type
Next Generation FIrewalls Jeff Eckley, Inside Sales Manager, Infogressive Monday, August 25th, 12:30pm - 1:15pm Lunch and Learn
Continuous Ownage: Why you Need Continuous Monitoring Eric Conrad Monday, August 25th, 7:15pm - 8:15pm SANS@Night
Vendor Security ... Really? Mark Williams Monday, August 25th, 8:15pm - 9:15pm SANS@Night
Tuesday, August 26
Session Speaker Time Type
Software Security Assurance: Keeping Your Security Program on the Rails Bruce Jenkins, Program Manager, HP Tuesday, August 26th, 12:30pm - 1:15pm Lunch and Learn
Automating Linux Memory Capture for Analysis Hal Pomeranz Tuesday, August 26th, 7:15pm - 8:15pm SANS@Night
Wednesday, August 27
Session Speaker Time Type
SANS 8 Mobile Device Security Steps Chris Crowley Wednesday, August 27th, 7:15pm - 8:15pm SANS@Night
Thursday, August 28
Session Speaker Time Type
Infosec Rock Star: How to be a More Effective Security Professional Ted Demopoulos Thursday, August 28th, 7:15pm - 8:15pm SANS@Night