Chapter 21 Processes and Process Memory
A critical component of memory forensics of any system involves enumerating running processes, and exploring their interactions with the file system, memory, and network. Thus, this chapter focuses on the Linux kernel’s process structures and how they associate a process with its resources. The chapter also discusses how you can combine these resources with memory resident bash history to provide deep insight into the actions performed on the system. Additionally, the plugins highlighted in this chapter will provide the critical foundation for building the advanced capabilities discussed in later chapters.
Processes in Memory
Every Linux process is represented by a task_struct
structure in kernel memory. This structure holds all the information necessary to link a process with its opened file descriptors, memory maps, authentication credentials, and more. Instances of the structures are allocated from the kernel memory cache (kmem_cache
) and stored within a cache named task_struct_cachep
, which is also the name of a global variable in the Linux kernel that you can use to find the cache on systems that use the SLAB
allocator (more information on this is coming up).
Get The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.