Process Core Dumps

Location

Description

Process memory dumps written when a process crashes due to a signal (SIGSEGV, SIGABRT). Contains the complete process address space at crash time including stack, heap, mapped libraries, and register state.

Forensic Value

Core dumps capture process memory at crash time, which often corresponds to an exploitation attempt. The memory image may contain exploit payloads, shellcode, decrypted data, credentials in memory, and the specific input that triggered the crash. For services that crashed during exploitation, the core dump preserves the attack payload for analysis. Core dump analysis with gdb can reveal the vulnerability exploited and the attacker technique used.

Tools Required

Collection Commands

coredumpctl list > /forensics/output/coredump_list.txt

find /var/lib/systemd/coredump /var/crash -type f -exec cp {} /forensics/output/ \;

coredumpctl dump --output=/forensics/output/latest_core.dump

strings /var/lib/systemd/coredump/*.zst > /forensics/output/coredump_strings.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

MITRE ATT&CK Techniques

References