DBFIR
  • DBFIR
  • Windows
    • Execution proofs
    • Persistence
    • NTFS
    • Registry
    • MISC
  • Linux
    • Execution / User activities
    • Persistence
    • Memory capture
  • MacOS
    • Activities
    • Tips
    • Persistence
Powered by GitBook
On this page
  • VMs
  • Bare metal

Was this helpful?

  1. Linux

Memory capture

PreviousPersistenceNextActivities

Last updated 3 years ago

Was this helpful?

VMs

Virtual memory capture is OS independant. Just proceed to a snapshot which includes virtual memory, and export the newly created files.

Bare metal

In short, it's a struggle. Always. As of the writing of this page, the best solution is to install a kernel module which will do the acquisition.

But here is the catch. The module need to be compiled for this specific version of the distribution. So either the details are known and the kernel module built separately on another system. Either the module is compiled on the target system. The later option is the simplest, but yes, this trashes the golden rule of forensics.

The most known utilitary to do so is .

LiME