Kernel Modules & dmesg Buffer

Location

Description

Loaded kernel module listing from /proc/modules or lsmod, kernel module files on disk, and the kernel ring buffer (dmesg) recording module load/unload events, hardware events, and kernel messages since last boot.

Forensic Value

Kernel module analysis detects loadable kernel module (LKM) rootkits that intercept system calls to hide processes, files, and network connections. Comparing loaded modules (lsmod) against expected modules identifies suspicious kernel extensions. The dmesg buffer records module load events with timestamps. Unsigned or out-of-tree modules in non-standard paths are strong indicators of rootkit installation. Memory analysis may reveal hidden modules not visible via lsmod.

Tools Required

Collection Commands

lsmod > /forensics/output/loaded_modules.txt

dmesg -T > /forensics/output/dmesg_output.txt

find /lib/modules/$(uname -r) -name "*.ko" -exec modinfo {} \; > /forensics/output/module_info.txt

cat /proc/modules > /forensics/output/proc_modules.txt

Collection Constraints

• •Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
• •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

MITRE ATT&CK Techniques

References