Memory Forensic
Linux memory
Dump Linux memory
To dump Linux memory for a specific process to disk, we need the follwoing:
Get process id (PID):
/proc/\[PID\]/cmdline
cmdline is file holds the complete command line for the process.
Get PID maps:
/proc/\[PID\]/maps
maps is file containing the currently mapped memory regions and their access permissions.
Get processs memory pages:
/proc/\[PID\]/mem
mem is a file can be used to access the pages of a process's memory through
Case study
Let's assume we want to dump gnome-keyring-daemon
process's memory to our disk in order to extract the logged-in user(s) password(s) since its stored in as a plan text in memory. Moreover, we know that it comes after "libgck-1" or "libgcrypt" strings in memory. We'll brack that a parts then put it together.
Get process id (PID)
Get PID maps:
Get processs memory pages:
Last updated