± Forensic Focus Partners

± Your Account



Site Members:

New Today: 0 Overall: 33043
New Yesterday: 0 Visitors: 176

± Follow Forensic Focus

Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

RSS feeds: News Forums Articles

± Latest Articles

± Latest Webinars

Linux Memory Forensics: Dissecting the User Space Process Heap

Monday, October 16, 2017 (12:45:20)

Linux Memory Forensics: Dissecting the User Space Process Heap

by Frank Block and Andreas Dewald

The analysis of memory during a forensic investigation is often an important step to reconstruct events. While prior work in this field has mostly concentrated on information residing in the kernel space (process lists, network connections, and so on) and in particular on the Microsoft Windows operating system, this work focuses on Linux user space processes as they might also contain valuable information for an investigation. Because a lot of process data is located in the heap, this work in the first place concentrates on the analysis of Glibc’s heap implementation and on how and where heap related information is stored in the virtual memory of Linux processes that use the Glibc heap implementation. Up to now, the heap was mostly considered a large cohesive memory region from a memory forensics perspective, making it rather hard manual work to identify relevant information inside.

Read More

0 comments

Log in to post a comment. The comments are owned by the poster. Forensic Focus is not responsible for their content.
Threshold


Build a Mobile Site
View Site in Mobile | Classic
Share by: