Crystal City 2014

Crystal City, VA | Mon, Sep 8 - Sat, Sep 13, 2014

Automating Linux Memory Capture for Analysis

  • Hal Pomeranz
  • Thursday, September 11th, 7:15pm - 8:15pm

Volatility has included support for Linux memory analysis since v2.2. However, practitioners have faced two obstacles: (1) Acquiring memory from a Linux system requires building, loading, and correctly using a third-party kernel module (such as LiME) for each system encountered; and (2) Creating a system-specific volatility "profile" for each system. Even for experts, these tasks are non-trivial and error-prone if performed manually. Fortunately, the Linux environment makes scripting and automation straightforward. This session presents a tool to capture actionable information from Linux systems. The tool, which has been tested and used many times, was created to be a simple, automated collection agent that can be installed on a portable USB device. The user should be able to insert the USB device into a system and execute a single command to capture the memory of the system and produce a Volatility profile for use in later analysis. This session covers the basics of Linux memory capture and Volatility profile creation as a manual process, then looks at how to install and use the tool as a portable agent. Using the Volatility framework, the session will also demonstrate some of the valuable information that can only be obtained via memory analysis.

Bonus Sessions

The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:

  • SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
  • Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
Monday, September 8
Session Speaker Time Type
General Session - Welcome to SANS Dr. Eric Cole Monday, September 8th, 8:15am - 8:45am Special Events
APT: It is Time to Act Dr. Eric Cole Monday, September 8th, 7:15pm - 9:15pm Keynote
Tuesday, September 9
Session Speaker Time Type
Continuous Ownage: Why you Need Continuous Monitoring Seth Misenar Tuesday, September 9th, 7:15pm - 8:15pm SANS@Night
Digital Forensics - The Human Cost Lee Whitfield Tuesday, September 9th, 8:15pm - 9:15pm SANS@Night
Wednesday, September 10
Session Speaker Time Type
Weaponizing Digital Currency G. Mark Hardy Wednesday, September 10th, 7:15pm - 8:15pm SANS@Night
Active Defense in Network Security Robert M. Lee Wednesday, September 10th, 8:15pm - 9:15pm SANS@Night
Thursday, September 11
Session Speaker Time Type
Automating Linux Memory Capture for Analysis Hal Pomeranz Thursday, September 11th, 7:15pm - 8:15pm SANS@Night
Reverse Engineering Mac Malware Sarah Edwards Thursday, September 11th, 8:15pm - 9:15pm SANS@Night
Friday, September 12
Session Speaker Time Type
New School Forensics: Latest Tools and Techniques in Memory Analysis Chad Tilbury Friday, September 12th, 7:15pm - 8:15pm SANS@Night