Kernel Modules & dmesg Buffer

linuxMemory & Live StateMemory DumpDisk Image

Location

/lib/modules/$(uname -r)/, /proc/modules, /var/log/dmesg, dmesg command output

Description

Loaded kernel module listing from /proc/modules or lsmod, kernel module files on disk, and the kernel ring buffer (dmesg) recording module load/unload events, hardware events, and kernel messages since last boot.

Forensic Value

Kernel module analysis detects loadable kernel module (LKM) rootkits that intercept system calls to hide processes, files, and network connections. Comparing loaded modules (lsmod) against expected modules identifies suspicious kernel extensions. The dmesg buffer records module load events with timestamps. Unsigned or out-of-tree modules in non-standard paths are strong indicators of rootkit installation. Memory analysis may reveal hidden modules not visible via lsmod.

Tools Required

lsmodmodinfodmesgVolatility 3chkrootkitrkhunter

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical