One of the problems we’ve experienced over the years with Linux memory forensics was the difficulty of obtaining a memory dump. This is because most acquisition tools require a loadable kernel module to be built on the exact same kernel version as the target. Building the kernel module on the target itself has several problems: […]

On November 21, 2017 I did a webcast for the SANS Institute to discuss memory forensics.  During the webcast, we discussed a number of custom plugins for Volatility to assist in the analysis of memory images. I’ve posted the plugins here. Enjoy!