Top 6 Tools To Search For Memory Under Linux
- Category: Linux
- Author: Admin
- October 22,2015
There are a number of reasons why a user might want to dump the physical memory of a Linux server, including searching for password strings, replacing or editing core files or commonly-used processes, troubleshooting or doing forensic analysis on stored data – or just knowing what’s on the system.
This used to be fairly easy with the dd /dev/mem command, but the direct access option is no longer available in newer kernels due to increased security restrictions, even if you’re acting as a superuser.
Today, the best way to search for memory under Linux is to use a tool developed for the purpose. Here are six good ones to check out.
Once known as DMD, this is a loadable kernel module which is one of the only available tools which will let you dump full memory captures from Android devices as well as Linux machines. It will allow you to either dump memory directly to the device’s file system or over a network, and is noteworthy because it basically works without user interaction, meaning the memory captures are much more accurate than with other tools.
The Linux version of the popular Windows Volatility tool, Volatiltux is flexible and useful. It allows you to dump RAM, as well as examine and extract a process’s open files. You’re also able to automatically detect kernel structures (although that doesn’t work reliably on some dumps, in which case you can create a config file with information on the memory layout). It’s worth checking out for one other reason: it supports dumps from devices with ARM architectures, like smartphones.
If you’re looking for an professional or enterprise (and expensive) solution which is a powerful forensics tool for Linux, Second Look is worth a first look. This tool is much more than a simple way to dump and search memory, as it includes a number of analysis tools and even proactive alert functions to help protect against intrusions. However, it also provides the ability to reliably dump memory locally or over a network, with PMAD modules for several hundred kernels covering all of the common Linux distributions.
Named after an undead creature from Norse mythology, this was one of the first tools developed for Linux memory analysis. It will only allow you to list processes and search and extract specific areas of the system’s memory, but is still effective for those purposes. Development on Draugr has been stopped for some time.
If you’re not in need of an elegant solution, Memdump is simple and to the point. Memdump is IBM Public License freeware which simply dumps physical memory to the normal output stream while skipping any holes in the memory maps.