Monday, August 20, 2012

Recovering Memory Filesystems With Volatility

Via memoryforensics.blogspot.de ,  I have learned about a Volatility plugin that can list and extract tmpfs  filesystems from Linux memory images.

As the author of the blog post comments, many distributions are using this filesystem for different tasks (e.g. /tmp /dev/shm) with the benefit of not having to delete files  and also the added performance compared with traditional filesystems that are stored in hard drives.

Of course, this has some implications when performing a forensic analysis, because all the information contained will be lost if the investigator only make a disk image.  On top of this, /tmp and /dev/shm are one of the few directories that are world writable and, therefore, preferred by the attackers to store information.