Linux memory forensics - memory capture with LiME and AVML
ฝัง
- เผยแพร่เมื่อ 20 มิ.ย. 2024
- Linux Command Line tutorial for forensics - 43 - Linux memory forensics - memory capture with LiME and AVML
♥️ SUBSCRIBE for more videos: th-cam.com/users/bluemonkey4n6...
Difficulty Level: advanced
Prerequisites: strong understanding of linux command line
strong understanding of partitions and file systems
In this video, we will look at capture memory on a Linux machine using LiME and AVML.
Video timeline
00:00 intro
00:55 AVML intro
01:43 AVML download
02:54 memory capture using AVML
06:01 AVML quick verification
07:15 LiME intro
08:14 LiME download
09:19 Target system recon to determine kernel version
09:49 LiME compile on exemplar system with same kernel version as target
13:31 LiME quick verification
To download the LiME source files: github.com/504ensicsLabs/LiME
To download the AVML executable file: github.com/microsoft/avml
⭕️ For other videos about the Linux command line, see other videos in this series: • Linux Command Line tut...
Linux distro:
CAINE linux (www.caine-live.net)
Virtualization software:
Virtual Box (virtualbox.org)
Icons made by freepik from @flaticon www.flaticon.com/authors/freepik
Icons made by Smashicons from www.flaticon.com/authors/smash...
This course was designed to provide information on how to use the command line environment in a Unix/Linux system to accomplish tasks such as imaging, data acquisition, and archiving. This course covers the basics of Unix/Linux commands that allow users to view and edit text files, obtain hardware and system information, partitioning and formatting, process related commands, manipulating disks and partitions, imaging, archiving, logical acquisition, live system response, and basic networking.
This would be beneficial for folks who are interested in digital forensics, incidence response, system administration, ethical hacking, or just plain linux. his course covers material for beginners as well as for advanced users. This course would also be helpful if you are considering taking the CompTIA Linux+ certification test.
#Linux #DFIR #memoryForensics
Great vid, would like to see it actually done through remote connection as in a real life scenario. How would you compile for a different system without direct access to insert a flash drive?
excellent question! if you dont have physical access to the machine then the assumption is that you have the credentials to get remote access. You should not be compiling on the subject machine but rather on an exemplar machine which has the same version of OS as the target. Then you can transfer the compiled program to the subject machine via rcp/ftp/etc and then ssh in to do the extraction and pipe the output across the network to a collection machine.
@@BlueMonkey4n6 thanks I was on the right track. I may have to demonstrate this soon for an upcoming audit
Which one do you prefer? Lime or AVML? Assuming if we want to dump a Linux server/client memory and not an android device?
I like AVML for it's simplicity. But because computer systems we would encounter in our line of work are never predictable, I always create a LiME executable as well just in case.
Thanks for watching and please subscribe and like if you havent already done so.
What program from both do you recommend the most to adquire memory dumps?
I would recommend BOTH. With computers, you never know what little nuances will cause one tool to fail so it's always good to have a backup plan. This is especially true with memory capture because memory changes constantly and you may only have one shot at getting what you want.
Thanks for watching and please dont forget to subscribe and like if you havent already done so.
@@BlueMonkey4n6 Thanks a lot. Of course I will follow your videos. They are quite interesting.
Make entering into different directory how did we solve this problem can you plz solve my problem by today i am very thankful to you.
Not sure i understand the question. Are you saying that the “make” program is putting you into a different directory? I usually “cd” into the folder where the Makefile resides and then run “make” there as all the .c and .h files are there.
Is it gonna work for kali linux mem aquisition
If you are asking whether this will capture memory in a system running Kali, then the answer is yes
Please do an Android mobile phone memory analysis to identify Malware.
Great suggestion, let me add it to the list of future videos