Sign in Subscribe

内存取证Memory Forensics

Last updated on 

7.4 Memory Acquisition

7.4.4. Linux Acquisition

Historical

/dev/mem

linux@k8s-node2:/dev$ ls -al mem
crw-r----- 1 root kmem 1, 1 Mai 20 20:42 mem
  • character device file
  • root: This is the owner of the file. Here, the owner is the root user.
  • kmem: This is the group owner of the file. In this case, the group is kmem.
    When enabled, this device exports physical memory and allows programs (such as dd) with root privileges to directly read from and write to RAM.

ptrace

ptrace is the userland debugging interface
It can acquire pages only from running processes, which misses all kernel memory, freed pages, and other data.
The only time you should use ptrace as an acquisition method is when you are interested in the code and data of only one process, such as related to a piece of malware.

Modern Acquisition

fmem (deal with 32-bit system)

fmem operates by loading a kernel driver that creates a character device named /dev/fmem
This devicet exports physical memory for other programs to access.

  • it checks if physical pages reside in main memory (by calling the page_is_ram function) before accessing them.
  • Another advantage of fmem is that it can access physical pages above the 896MB boundary
  • The only disadvantage to fmem is that it requires the investigator to inspect /proc/iomem to determine where RAM is mapped.
    Screenshot-2023-05-31-143538
    The ones you should be interested in for acquisition are those named System RAM. T
    Screenshot-2023-05-31-143712
    Within this guest, there are four ranges of physical memory that you need to acquire.

Screenshot-2023-05-31-144155
Screenshot-2023-05-31-144253
Within this guest, there are four ranges of physical memory that you need to acquire.
Note that the last range (100000000 - 100bfffff) is above the normal limit for 32-bit systems
(which is 0xffffffff) and actually is at about 4.3GB into physical memory. So if you use
dd to acquire 3084MB of RAM with fmem, you would miss data in the last region. It would take a knowledgeable investigator to notice this error because the file would be the correct size of RAM (3084MB), and memory analysis tools (including Volatility) would appear to work for the most part. However, the memory sample would be incomplete

Linux Memory Extractor (LiME)

LiME operates by loading a kernel driver, but instead of creating a character device that userland can access, all acquisition is done within the kernel.

  • enhances the accuracy of the resulting sample because there are no context switches between userland and the kernel required to transfer data
  • improves upon fmem by automatically determining the address ranges that contain main memory

To enumerate the ranges, LiME walks the kernel’s iomem_resource linked list. This list holds the descriptors for each physical memory segment. If the name of the segment matches that of RAM (System RAM), the corresponding start and end members determine where in physical memory the segment resides