Using Volatility on Linux
In the following section, we will describe memory acquisition techniques and sample use cases to use Volatility for Linux memory forensics.
Memory acquisition
If the system is not virtualized and therefore, there is no way of getting the memory directly from the hypervisor layer; then even for Linux, our tool of choice is LiME.
However, unlike in Android, the tool installation and operation is a lot easier because we generate and run LiME directly on Linux system; however, many steps are quite similar as you will notice in the following paragraphs.
First, determine the exact kernel version, which is running on the system, that is to be analyzed. If there is no sufficient documentation available, then you may run the following command to get the kernel version:
user@forensic-target $ uname –a Linux forensic-target 3.2.0-88-generic #126-Ubuntu SMP Mon Jul 6 21:33:03 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Tip
Use the configuration management in enterprise environments...
