Linux Memory Dump (RAM Capture)

LinuxMemory & Live StateMemory Dump

Location

Acquired via LiME, /dev/mem, /dev/fmem, or /proc/kcore

Description

Complete physical memory capture of a running Linux system including all process memory, kernel structures, network connection state, loaded kernel modules, and filesystem cache contents.

Forensic Value

Linux memory analysis is essential for detecting rootkits that hide from disk-based tools. Volatility Linux profiles can enumerate hidden processes, detect kernel module rootkits, recover bash command history from process memory, extract network connections and credentials, and identify injected code in process address spaces. The filesystem cache in memory may contain recently accessed file content that provides additional context.

Tools Required

LiME (Linux Memory Extractor)Volatility 3RekallAVML (Microsoft)

Collection Commands

LiME

insmod lime.ko "path=/forensics/output/memory.lime format=lime"

AVML

avml /forensics/output/memory.raw

volatility3

vol -f /forensics/output/memory.lime linux.pslist > /forensics/output/vol_pslist.txt

volatility3

vol -f /forensics/output/memory.lime linux.bash > /forensics/output/vol_bash_history.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.
•Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.

MITRE ATT&CK Techniques

T1055T1014T1003T1059.004

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

AVML (Acquire Volatile Memory for Linux)

linux — memory

LiME (Linux Memory Extractor)

linux — memory