Acquiring Linux Memory using AVML and Using it with Volatility

This is another quick post going over the process to acquire memory from a Linux system, but instead of using LiME, I’m going to use AVML which stands for Acquire Volatile Memory for Linux, and could be found here. The tool has been developed by Brian Casewell for Microsoft and is a “userland volatile memory acquisition tool”.

AVML tries to acquire memory from the following memory sources:

    /dev/crash
    /proc/kcore
    /dev/mem

The installation is straight forward and well documented on the Github page. I used the build on Ubuntu, which is really just “copy & paste” no super power required there, thanks to Brian! One note is there are two builds, one will provide an upload feature to upload the images to Azure and the other build without that. The size is really small, mine with full features was 5.5MB. After finishing the build you will find the binary (at least on my system) under:

./target/x86_64-unknown-linux-musl/release/

Continue reading