Wednesday, December 18, 2013

Linux Memory Forensics

Today I am taking a look at two of the more popular tools for performing memory acquisition from Linux systems. A quick search lands us at ForensicWiki which lists five tools for performing memory dumps on Linux systems. Two of the more useful freeware tools are fmem and LiME. This post details my experience using both tools.


Previously on Linux, memory dumps were acquired by simply running the dd command against /dev/mem or /dev/kmem. In recent years, these devices have been restricted so that only certain memory addresses or ranges are accessible. This is due to security concerns - if you can read the memory ranges of certain processes, it may be possible to recover sensitive data. Linux kernel developers have thus restricted access to much of the memory space that is mapped via /dev/mem.


To get around this, developers have created tools to allow unrestricted access to memory. Both fmem and LiME are available to meet the needs of forensic / first responder personnel who need to acquire an image of system memory for analysis purposes. fmem and LiME are loadable kernel modules that can be compiled and inserted into running Linux kernels. These modules operate in a similar fashion, but there are some differences.


fmem is available as a tarball download, and is easy to build and use once downloaded. Extract the files, build the .ko, run the included shell script to insert the kernel module, and you're set.


ipduffy@Thinkpad ~/Downloads/fmem_1.6-0 $ sudo ./run.sh
[sudo] password for ipduffy:
Module: insmod fmem.ko a1=0xffffffff8106fbd0 : OK
Device: /dev/fmem
----Memory areas: -----
reg00: base=0x0ffc00000 ( 4092MB), size=    4MB, count=1: write-protect
reg01: base=0x000000000 (    0MB), size= 2048MB, count=1: write-back
reg02: base=0x080000000 ( 2048MB), size= 1024MB, count=1: write-back
reg03: base=0x0bc000000 ( 3008MB), size=   64MB, count=1: uncachable
reg04: base=0x0bb000000 ( 2992MB), size=   16MB, count=1: uncachable
reg05: base=0x100000000 ( 4096MB), size= 4096MB, count=1: write-back
reg06: base=0x200000000 ( 8192MB), size= 1024MB, count=1: write-back
reg07: base=0x23f000000 ( 9200MB), size=   16MB, count=1: uncachable
reg08: base=0x23e800000 ( 9192MB), size=    8MB, count=1: uncachable
reg09: base=0x23e600000 ( 9190MB), size=    2MB, count=1: uncachable
-----------------------
!!! Don't forget add "count=" to dd !!!



Once the kernel module is loaded, you should have a new device under the /dev folder named /dev/fmem. You can then use dd to dump a memory image using this new device. /dev/fmem should be free of the access control restrictions that the Linux kernel has placed on /dev/mem. Once you are done with your memory dump you should unload the kernel module, especially if you think that an intrusion has happened on the system under examination. No sense leaving tools around that an attacker can use.

One caveat to be aware of when using dd and fmem is that you must specify a block size and a count with dd, otherwise dd will run forever. fmem does not report an end of the addressable memory address range to dd so, you must do so manually using the bs="..." and count="..." parameters to dd. For my system, I have 8GB of memory so I used bs=1MB and count=8000.


When I was trying to use fmem, I ran into an issue where it would get about a quarter of the way through the dd process and then error out with a "Bad Address" message:


ipduffy@Thinkpad ~/tmp $ sudo dcfldd if=/dev/fmem of=linuxmem.img bs=1MB count=8000
2816 blocks (2816Mb) written.dcfldd:/dev/fmem: Bad address

2991+0 records in
2991+0 records out



I did not attempt to troubleshoot this issue. My system is a Linux Mint 13 system, which is based on Ubuntu. Kernel is 3.2.0-23 x86_64.


Moving on, I downloaded and compiled LiME - Linux Memory Extractor. It is also a loadable kernel module, although it performs all of the work for you - no dd required. Simply download and build the .ko and it is ready for use. When loading the kernel module via insmod, you must specify a path and filename for the memory image to be created, as well as a format specification:


ipduffy@Thinkpad ~/Downloads/lime/src $ sudo insmod lime-3.2.0-23-generic.ko "path=/home/ipduffy/tmp/mem.lime format=lime"


Once the kernel module is inserted, it will automatically start dumping memory out to the file specified. This module worked perfectly on my test system and did not encounter any issues. The full memory was dumped to the specified file.


Once the memory has been dumped, it can be analyzed with Volatility. This will be the topic of an upcoming post.

1 comment:

  1. Hello,
    First thank's for these informations :)
    Is it possible after dumping RAM to insert this file as the /dev/mem?
    I explain : i want to restart a varnish server, but there is a lot of things in cache on this server. So i want to dump the memory before restarting it. After i want to insert the dump, to retrieve all my cache:)

    Thank's by advance

    ReplyDelete