BIPI
BIPI

Linux Memory Forensics: LiME, Volatility, and Process Injection Detection

Cybersecurity

Acquiring Linux memory with LiME, building Volatility profiles for custom kernels, and detecting process injection, rootkits, and credential theft in RAM.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 6, 2025 · 13 min read

#memory-forensics#lime#volatility#linux#incident-response

Linux incident response without memory forensics is like investigating a crime scene without touching the building. Adversaries who live in memory — injecting into nginx, dropping shared objects, or patching kernel structures — leave almost no trace on disk.

Memory acquisition with LiME

LiME (Linux Memory Extractor) is a loadable kernel module that dumps RAM to a file or over TCP without interrupting running processes. Build it against the exact kernel version of the target system for a clean acquisition.

  1. Clone LiME, build: make -C /lib/modules/$(uname -r)/build M=$(pwd)
  2. Load: insmod lime-$(uname -r).ko path=/mnt/evidence/mem.lime format=lime
  3. For remote: path=tcp:4444 — receive with nc on the analysis workstation
  4. Verify integrity: sha256sum before and after transfer

Building Volatility profiles

Volatility 2 requires a symbol profile matching the exact kernel. Volatility 3 uses ISF (Intermediate Symbol Format) JSON files generated from DWARF debug symbols. Pull dwarf2json from the Volatility Foundation and run it against vmlinux.

Core analysis plugins

  • linux.pslist and linux.pstree — enumerate processes and parent-child relationships
  • linux.proc.maps — memory mappings per process, spot anonymous RWX regions
  • linux.netstat — network connections including those hidden by rootkits
  • linux.check_syscall — detect syscall table hooks indicating kernel rootkits
  • linux.malfind equivalent: scan for executable anonymous mappings with shellcode patterns

Detecting shared library injection

LD_PRELOAD injection and ptrace-based shared object injection show up as unexpected entries in /proc/PID/maps. In Volatility, cross-reference proc.maps output against the known good library list for the binary.

Credential theft artefacts

OpenSSH memory contains plaintext passphrases in the authentication session structure. SSHD process memory can be dumped and strings-searched for private key material. PAM authentication modules are also common injection points — check for unexpected shared objects loaded by sshd or su.

classic technique
Linux kernel rootkits with syscall table hooks
~3 minutes
LiME acquisition time for 32 GB RAM
seconds in memory
SSH credential exposure window during auth
The attacker who never touched disk is still visible in RAM — if you acquire before reboot.

Operational notes

Prioritise memory acquisition over disk imaging when the system is live. The kernel changes every millisecond; a 10-second acquisition delay means some process state is already gone. Automate LiME loading in your IR runbooks so analysts do not have to compile under pressure.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.