################################################## Benji Greenfield yo at digitalbenji.com date: July 16, 2011 info: Use the fmem kernel module to carve specific data out of memory on a host. Modern linux distributions restrict userland access to the contents of RAM (/dev/mem and /dev/kmem (if /dev/kmem is even present)). This presents a challenge when live memory analysis and / or acquisition is required, typically in a digital forensics incident response context. While it is possible to compile kernels with a special directive allowing userland access (typically via the root user) to the /dev memory devices, doing so introduces vulnerabilities (restricting userland access to /dev/mem is a security configuration), and also adds additional administration expenses. A simple solution to this problem is to dynamically load the fmem kernel module when live memory analysis and / or acquisition on a linux host is required. The following briefly explores the basics of doing so. ################################################## 1 - Obtain the latest version of fmem from: http://hysteria.sk/~niekt0/fmem/ 2 - Build fmem (just run make). NOTE: Compiling fmem requires that the sources be installed for the current kernel of the host system. 3 - Load the fmem kernel module (requires root privileges). There are two ways to do this: Ugly way: insmod fmem.ko Pretty way (use the run script included with fmem): ./run.sh Module: insmod fmem.ko a1=0xffffffff81054dfd : OK Device: /dev/fmem ----Memory areas: ----- reg00: base=0x000000000 ( 0MB), size= 4096MB, count=1: write-back reg01: base=0x0dff00000 ( 3583MB), size= 1MB, count=1: uncachable reg02: base=0x0e0000000 ( 3584MB), size= 512MB, count=1: uncachable reg03: base=0x100000000 ( 4096MB), size= 512MB, count=1: write-back ----------------------- !!! Don't forget add "count=" to dd !!! Voila, now you have /dev/fmem available to access the contents of RAM. Now what? ################################################## dump RAM contents to a remote system: On remote system: nc -l 7337 > memory.fmem On the host with fmem loaded: dd if=/dev/fmem count= bs=1M|nc 7337 Alternate Option: dd if=/dev/fmem count=`head -n 1 /proc/meminfo |cut -f 9 -d \` bs=1kB|nc 7337 ################################################## search the contents of a dump file for a particular string: NOTE: This method uses tools from the SluethKit. 1 - Index the dumpfile for strings, with decimal offsets available for blkcat for later: srch_strings -t d -a memory.fmem > strings.memory.fmem 2 - grep the string file for what you're looking for: grep "MySpecial" strings.memory.fmem 3730394592 grep "MySpecial" strings.memory.fmem 3755552776 MySpecial 3755555296 MySpecialPassword### 3 (Optional) - Use blkcat to examine the data directly in the dumpfile: blkcat -i raw -f raw memory 7335068 300|xxd|less NOTE: 7335000 is the offset, which was obtained by taking the decimal number from grep (3755555296) and dividing by 512 (the size of each addressable unit in the dump file). 300 is the number of blocks of data to dump. You may need to use a number other than 512, you can determine the size of each addressable unit via this command: blkcat -i raw -f raw memory.fmem -s 512: Size of Addressable Unit