In the following section, we will describe memory acquisition techniques and sample use cases to use Volatility for Linux memory forensics.
If the system is not virtualized and therefore, there is no way of getting the memory directly from the hypervisor layer; then even for Linux, our tool of choice is LiME.
However, unlike in Android, the tool installation and operation is a lot easier because we generate and run LiME directly on Linux system; however, many steps are quite similar as you will notice in the following paragraphs.
First, determine the exact kernel version, which is running on the system, that is to be analyzed. If there is no sufficient documentation available, then you may run the following ...