Malware Forensic Field Guides: Tool Box 

Chapter 2     Memory Analysis Tools for Linux Systems

In this chapter we discussed approaches to interpreting data structures in memory on Linux systems, and extracting and analyzing process memory. There are a number of memory analysis tools that you should be aware of and familiar with. In this section, we explore these tool alternatives, often demonstrating their functionality. This section can also simply be used as a “tool quick reference” or “cheat sheet” as there will inevitably be an instance during an investigation where having an additional tool that is useful for a particular function would be beneficial, but while responding in the field you will have little time to conduct research for or regarding the tool(s). It is important to perform your own testing and validation of these tools to ensure that they work as expected in your environment and for your specific needs.
 Name:  SecondLook
 Page Reference:  117, 124
 Author/Distributor:  Raytheon Pikewerks/SecondLook Forensics
 Available From:
 Description:  Advanced Linux memory analysis capabilities have been developed in a specialized tool
called SecondLook that has a command-line and GUI version, as well as an Enterprise edition.

The GUI of SecondLook is shown here with the alerts screen showing suspicious changes in memory due
to malware:


  Name:  Volatility
  Page Reference: 116, 119-120, 122-125
  Author/Distributor:  Volatile Systems
  Available From:
 Description:  Volatility grew out of the FATKit project and is written in Python, with development being led by AAron Walters. Volatility was originally developed to examine Windows memory dumps and has been adapted to work with Linux memory dumps. The Linux version of Volatility can be used to extract information about processes, network connections, open handles and other system related details.

        # python volatility/ –f Phalanx2.dd --profile=LinuxFedora14x64 linux_pslist

  Linux Plugins: 


  • linux_pslist: active processes beginning with the init_task symbol and walking the task_struct->tasks linked list (excludes swapper process)

  • linux_psaux: output active processes with additional details

  • linux_pstree: hierarchical relationship tree of running processes

  • linux_pslist_cache: active processes from kmem_cache (SLAB support only)

  • linux_psxview: comparison of process listings

  • linux_lsof: open file descriptors for each active process

Process Memory:

  • linux_memmap

  • linux_pidhashtable

  • linux_proc_maps: details of process memory, including heaps and shares libraries

  • linux_dump_map: dumps a memory range specified by the -s/--vma parameter to disk

  • linux_bash: recovers bash history from memory, with some digging

Kernel Memory and Objects:

  • linux_lsmod: loaded kernel modules

  • linux_tmpfs: contents of tmpfs

Rootkit Detection:

  • linux_check_afinfo: checks for tampering in network protocol structures

  • linux_check_creds: check if processes are sharing ‘cred’ structures

  • linux_check_fop: check file operation data structures for tampering

  • linux_check_idt: check Interrupt Descriptor Table (IDT) for tampering

  • linux_check_syscall: checks for function hooking in the system call tables

  • linux_check_modules: checks for items in sysfs that are missing from kernel modules list.


  • linux_arp: List ARP table entries 
  • linux_ifconfig: Show network interface details 
  • linux_route_cache: List route table list 
  • linux_netstat: List network connections 
  • linux_pkt_queues 
  • linux_sk_buff_cache

System Information

  • linux_cpuinfo 
  • linux_dmesg 
  • linux_iomem 
  • linux_mount  
  • linux_mount_cache 
  • linux_slabinfo 
  • linux_dentry_cache 
  • linux_find_file 
  • linux_vma_cache

 Name:  Shortstop
 Page Reference: 138
 Author/Distributor: Joerg Kost
 Available From:
 Description:  The shortstop utility captures process memory and assorted information about the system, including the command line, current working directory, status, environment variables, listings of associated entries in the “/proc” system, and memory map. The command line is shown below and the file output can be redirected to a file.

# shortstop –m –p <PID>

Name:  Memfetch
Page Reference: 138
Author/Distributor: Michal Zalewski
Available From:
Description:  The memfetch utility dumps the memory mappings of a process into separate files for further analysis.

Name:  Process Dumper
Page Reference: 138
Author/Distributor: Tobias Klein
Available From:
Description:  Process Dumper is used in combination with Memory Parser to dump and analyze process memory.

The process dumper tool has a simple usage with output directed to standard out (preferable to redirect the output to a file):

# pd –p <PID>

 Name:  gcore
 Page Reference: 138
 Author/Distributor: Eric Cooper
 Available From:  Native to Linux distributions
 Description:  gcore is a command-line utility that generates a core file for a target process (specified by its PID). By default, the resulting core file is written to core, <pid>, in the current directory.

Alternatively, using the –o switch the digital investigation can direct the output of gcore to a specified file and location, as demonstrated in the following command:

# gcore –o outputfile <PID>

Name:  pcat
 Page Reference: 138
Author/Distributor: Dan Farmer and Wietse Venema
Available From:
Description:   The pcat utility is a component of The Coroners Toolkit that captures process memory. It can also generate a map file of the process memory using the –m switch.

# pcat –m –p <PID> outputfile