Process Core Dumps

linuxMemory & Live StateDisk Image

Location

/var/lib/systemd/coredump/, /var/crash/, or core pattern path from /proc/sys/kernel/core_pattern

Description

Process memory dumps written when a process crashes due to a signal (SIGSEGV, SIGABRT). Contains the complete process address space at crash time including stack, heap, mapped libraries, and register state.

Forensic Value

Core dumps capture process memory at crash time, which often corresponds to an exploitation attempt. The memory image may contain exploit payloads, shellcode, decrypted data, credentials in memory, and the specific input that triggered the crash. For services that crashed during exploitation, the core dump preserves the attack payload for analysis. Core dump analysis with gdb can reveal the vulnerability exploited and the attacker technique used.

Tools Required

gdbcoredumpctlstringsobjdumpVolatility 3

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical