{"id":9728,"date":"2013-04-03T15:45:30","date_gmt":"2013-04-03T20:45:30","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=9728"},"modified":"2013-04-03T17:33:00","modified_gmt":"2013-04-03T22:33:00","slug":"top-8-tools-for-linux-unix-memory-forensics-analysis","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=9728","title":{"rendered":"Top 8 Tools For Linux \/ Unix Memory Forensics Analysis"},"content":{"rendered":"<blockquote>\n<h2>Memfetch<\/h2>\n<p>It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers &#8211; and a convenient way to grab &#8220;screenshots&#8221; from many types of text-based interactive utilities. To install memfetch:<\/p>\n<pre class=\"bash\"><span style=\"color: #808080; font-style: italic;\">## FreeBSD ##<\/span>\r\npkg_add -r -v memfetch\r\n\r\n<span style=\"color: #808080; font-style: italic;\">## other *nix user download it from the following url ##<\/span>\r\n<span style=\"color: #c20cb9; font-weight: bold;\">wget<\/span> http:\/\/lcamtuf.coredump.cx\/soft\/memfetch.tgz\r\n<span style=\"color: #c20cb9; font-weight: bold;\">tar<\/span> xvf memfetch.tgz\r\n<span style=\"color: #7a0874; font-weight: bold;\">cd<\/span> memfetch &amp;&amp; <span style=\"color: #c20cb9; font-weight: bold;\">make<\/span><\/pre>\n<\/blockquote>\n<p>via <a href=\"http:\/\/www.cyberciti.biz\/programming\/linux-memory-forensics-analysis-tools\/\">Top 8 Tools For Linux \/ Unix Memory Forensics Analysis<\/a>.<\/p>\n<p>This looks like a useful tool.\u00a0 From the README file:<\/p>\n<blockquote><p>Debuggers like gdb are pretty good for examining small sections<br \/>\nof code or memory, but are pretty much useless for massive\u00a0 comparison, sophisticated searches and such. It&#8217;s good to be able to retrieve full memory image to run it thru grep, strings, your favorite viewer or any other tool. Quite obviously, I developed this code not because it&#8217;s extremely difficult to do it on your own, but because it is a valuable shell utility for all kinds of deep hacking activities that simply saves you time.<\/p>\n<p>Memfetch is a convenient screenshot grabber for ssh or screen sessions, by\u00a0 the way \ud83d\ude09<\/p><\/blockquote>\n<p>I chose memfetch from the eight since it seemed the most intuitive and simple.\u00a0 The downloadable tarball contains a single .c file and a make file.\u00a0 Unfortunately the installation isn&#8217;t as easy as portrayed in the above blurb.\u00a0 On Fedora 14 I needed to futz with the C_INCLUDE_PATH and add the kernel&#8230;\/asm-generic into the path.\u00a0 I also had to symbolic link an asm to asm-generic in the kernel source include directory because the program wanted a asm\/path.h file.\u00a0 Things have changed since 2007 when this program was last updated.\u00a0 But it works and it may prove useful.\u00a0\u00a0 I&#8217;m sure <a href=\"http:\/\/www.backtrack-linux.org\/\">Backtrack 5<\/a> must have this tool, or tool like this, pre installed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Memfetch It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers &#8211; &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=9728\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54],"tags":[79,721,28,87],"class_list":["post-9728","post","type-post","status-publish","format-standard","hentry","category-programming","tag-download","tag-linux-admin","tag-linux-command","tag-tools"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9728"}],"version-history":[{"count":3,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9728\/revisions"}],"predecessor-version":[{"id":9733,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/9728\/revisions\/9733"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9728"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9728"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}