Acquiring Linux Memory using AVML and Using it with Volatility

This is another quick post going over the process to acquire memory from a Linux system, but instead of using LiME, I’m going to use AVML which stands for Acquire Volatile Memory for Linux, and could be found here. The tool has been developed by Brian Casewell for Microsoft and is a “userland volatile memory acquisition tool”.

AVML tries to acquire memory from the following memory sources:

    /dev/crash
    /proc/kcore
    /dev/mem

The installation is straight forward and well documented on the Github page. I used the build on Ubuntu, which is really just “copy & paste” no super power required there, thanks to Brian! One note is there are two builds, one will provide an upload feature to upload the images to Azure and the other build without that. The size is really small, mine with full features was 5.5MB. After finishing the build you will find the binary (at least on my system) under:

./target/x86_64-unknown-linux-musl/release/

Continue reading

Forensic Acquisitions over Netcat

In the past I used to write here what I did so I do not forget, so I’ll try to get back to that habit again :)

These days whenever I find time, I’m playing with TSURUGI, which is a new (at least to me) Linux DFIR distro. More about the distro could be found on the system’s website here. I highly recommend if you are reading these words of mine, that you go download TSURUGI and give it a try. It can be seen as the KALI Linux of DFIR!

Now, there is a project that I’m working on related to Linux, so I needed to acquire an image of a Linux system running on my testing system. So, I turned off the the system to be acquired and used the TSURUGI Linux to boot the system to be acquired. The problem in my setup, is I do not want to use a removable drive to acquire the image using TSURUGI and copy it to that target drive. Therefore, I had to go with other options, one was SSH. Doing acquisitions over SSH will be a great option, but unfortunately, in my situation, it did not work. I have not troubleshooted the reason why, since I’m not into that now, but I assume SSH did not work and every time I tried to connect to the running SSH, it just gave me a reset, because it was running in Read-Only mode from the RAM and therefore SSH sessions could not be created! (not 100% sure, just an assumption).
Continue reading

Anti-Forensics: Leveraging OS and File System Artifacts

Hola,

I know it seems that the zone has been abandoned for a year, and that is why I didn’t want the year to end without posting anything. Anyway, this presentation has been covered in Feb-2016, and thought why not share it with the DFIR community, maybe it will be useful to someone out there.

Presentation title: Anti-Forensics: Leveraging OS and File System Artifacts.

It doesn’t cover all the anti stuff, but it is a good start.

Enjoy…