Linux Memory Forensics: Expanding Rekall for Userland Investigation

The field of memory forensics is getting more important in forensic investigations for obtaining valuable data of a running system. Besides kernel artifacts, there might be also plenty of interesting data in the heap of a user space process, but unfortunately, that area has not yet received the attention it deserves in the forensic field. This paper shows that the heap of user applications may also be a rich source of information including data like credentials that can be helpful in a forensic investigation. With the help of the HeapAnalysis plugins, previously published by Block, we examined the heap of selected Linux userland software and managed to identify data of interest and also certain application-internal structures, which link those data snippets together. The result of our analysis is a set of plugins for the Rekall framework, enabling an investigator to automatically extract process-related information such as login credentials, command history and file information for those applications.