Using Volatility on Linux

In the following section, we will describe memory acquisition techniques and sample use cases to use Volatility for Linux memory forensics.

Memory acquisition

If the system is not virtualized and therefore, there is no way of getting the memory directly from the hypervisor layer; then even for Linux, our tool of choice is LiME.

However, unlike in Android, the tool installation and operation is a lot easier because we generate and run LiME directly on Linux system; however, many steps are quite similar as you will notice in the following paragraphs.

First, determine the exact kernel version, which is running on the system, that is to be analyzed. If there is no sufficient documentation available, then you may run the following ...

Get Mastering Python Forensics now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering Python Forensics by Dr. Michael Spreitzenbarth, Dr. Johann Uhrmann

Using Volatility on Linux

Memory acquisition

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly