AVML – Memory Forensics For Linux

One of the problems we’ve experienced over the years with Linux memory forensics was the difficulty of obtaining a memory dump. This is because most acquisition tools require a loadable kernel module to be built on the exact same kernel version as the target. Building the kernel module on the target itself has several problems:

  • It isn’t forensically sound (we shouldn’t be building our collection software on the target)
  • It is also isn’t stealthy – Ray Charles can see what’s coming next if you’re building forensic acquisition software
  • Kernel headers must be installed on the target system (not a given)

Microsoft aims to change this with the release of avml. The avml tool is written in Rust and can capture memory without building a loadable kernel module. There’s no requirement that rust libraries be present on the target system either. The avml tool is built statically linked, so there shouldn’t be any additional libraries required on the target machine. Obviously you have to be root to acquire memory.

The avml tool attempts to capture from one of the following devices (in this order):

  • /proc/kcore
  • /dev/crash
  • /dev/mem

We tested avml successfully on CentOS 7 and Ubuntu 16.04 and 18.04 for acquisition. While it acquired successfully on all platforms, the memory hasn’t parsed correctly on our Ubuntu systems. This may be the result of memory skew. That’s a condition that occurs when memory changes too much during acquisition. Acquiring memory requires writing to disk and disk writes are slow (relatively speaking).

I have to confess that I use more Ubuntu than CentOS and so do our customers. As a result, I didn’t have a current CentOS volatility profile ready to go. I did what any self respecting infosec professional would do and spun up a CentOS VM in our lab and went to work installing the many dependencies needed to build a volatility profile.

Unfortunately, I’m not as familiar with yum as a I am with apt. While I was installing dependencies (and figuring out which ones to install) just to get a profile built, I decided I was never doing it again. So I did what any senior infosec professional would do and said “intern, come here and document this!” Just kidding, I just wrote a script to do it. You can download that here. Since you’re installing dependencies, you obviously need to run it as root.

The normal output format for avml is LiME, which is supported natively by volatility. It also supports compression using the snappy algorithm (which is cool) but there doesn’t appear to be a tool packaged with avml to decompress the images. This is a real shortcoming since volatility can’t parse the compressed files.

In short, I haven’t had enough time to test avml to trust it as a primary tool for Linux memory acquisition. But if I had a situation where I couldn’t build another tool (like Rekall’s pmem), I wouldn’t hesitate to use it.