Linux ELF core files
In most UNIX flavored OSes, a process can be delivered a signal so that it dumps a core file. A core file is essentially a snapshot of the process and its state right before it cored (crashed or dumped). A core file is a type of ELF file that is primarily made up of program headers and memory segments. They also contain a fair amount of notes in the PT_NOTE
segment that describe file mappings, shared library paths, and other information.
A core file by itself is not especially useful for process memory forensics, but it may yield some results to the more astute analyst.
Note
This is actually where ECFS comes into the picture; it is an extension of the regular Linux ELF core format and provides features that are specifically for forensic analysis.
Analysis of the core file – the Azazel rootkit
Here, we will infect a process with the azazel rootkit using the LD_PRELOAD
environment variable, and then deliver an abort signal to the process so that we can capture a core dump for...