Top 8 Tools For Linux / Unix Memory Forensics Analysis


It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers – and a convenient way to grab “screenshots” from many types of text-based interactive utilities. To install memfetch:

## FreeBSD ##
pkg_add -r -v memfetch

## other *nix user download it from the following url ##
tar xvf memfetch.tgz
cd memfetch && make

via Top 8 Tools For Linux / Unix Memory Forensics Analysis.

This looks like a useful tool.  From the README file:

Debuggers like gdb are pretty good for examining small sections
of code or memory, but are pretty much useless for massive  comparison, sophisticated searches and such. It’s good to be able to retrieve full memory image to run it thru grep, strings, your favorite viewer or any other tool. Quite obviously, I developed this code not because it’s extremely difficult to do it on your own, but because it is a valuable shell utility for all kinds of deep hacking activities that simply saves you time.

Memfetch is a convenient screenshot grabber for ssh or screen sessions, by  the way 😉

I chose memfetch from the eight since it seemed the most intuitive and simple.  The downloadable tarball contains a single .c file and a make file.  Unfortunately the installation isn’t as easy as portrayed in the above blurb.  On Fedora 14 I needed to futz with the C_INCLUDE_PATH and add the kernel…/asm-generic into the path.  I also had to symbolic link an asm to asm-generic in the kernel source include directory because the program wanted a asm/path.h file.  Things have changed since 2007 when this program was last updated.  But it works and it may prove useful.   I’m sure Backtrack 5 must have this tool, or tool like this, pre installed.