Acquiring memory with AVML
AVML, or Acquire Volatile Memory for Linux, is a userland acquisition tool developed by Microsoft. The main advantage of AVML is that it does not need to be built on the target host and supports multiple sources:
/dev/crash/proc/kcore/dev/mem
If no particular source is specified when you run AVML, the tool will go through all the sources, looking for a valid one and collecting memory from it.
The disadvantage, perhaps, is that this tool has been tested on a limited number of distributions, so it is better to check it into a virtual environment before using it.
At the time of writing this book, the following distributions have been tested:
- Ubuntu: 12.04, 14.04, 16.04, 18.04, 18.10, 19.04, 19.10
- Centos: 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6
- RHEL: 6.7, 6.8, 6.9, 7.0, 7.2, 7.3, 7.4, 7.5, 8
- Debian: 8, 9
- Oracle Linux: 6.8, 6.9, 7.3, 7.4, 7.5, 7.6
So, the first thing you need...
