Linux Memory Dump (RAM Capture)

linuxMemory & Live StateMemory Dump

Location

Acquired via LiME, /dev/mem, /dev/fmem, or /proc/kcore

Description

Complete physical memory capture of a running Linux system including all process memory, kernel structures, network connection state, loaded kernel modules, and filesystem cache contents.

Forensic Value

Linux memory analysis is essential for detecting rootkits that hide from disk-based tools. Volatility Linux profiles can enumerate hidden processes, detect kernel module rootkits, recover bash command history from process memory, extract network connections and credentials, and identify injected code in process address spaces. The filesystem cache in memory may contain recently accessed file content that provides additional context.

Tools Required

LiME (Linux Memory Extractor)Volatility 3RekallAVML (Microsoft)

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical