Automating Linux Memory Capture for Analysis
- Hal Pomeranz
- Tuesday, August 26th, 7:15pm - 8:15pm
Volatility has included support for Linux memory analysis since v2.2. However, practitioners have faced two obstacles: (1) Acquiring memory from a Linux system requires building, loading, and correctly using a third-party kernel module (such as LiME) for each system encountered; and (2) Creating a system-specific volatility "profile" for each system. Even for experts, these tasks are nontrivial and error prone if performed manually. Fortunately, the Linux environment makes scripting and automation straightforward. This session presents a tool to capture actionable information from Linux systems. The tool, which has been tested and used many times, was created to be a simple, automated collection agent that can be installed on a portable USB device. The user should be able to insert the USB device into a system and execute a single command to capture the memory of the system and produce a Volatility profile for use in later analysis. This session covers the basics of Linux memory capture and Volatility profile creation as a manual process, then looks at how to install and use the tool as a portable agent. Using the Volatility framework, the session will also demonstrate some of the valuable information that can only be obtained via memory analysis.
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Lunch & Learn: Short presentations given during the lunch break.