I captured volatile evidence from a compromised running host following RFC 3227 order of volatility, imaging RAM with LiME and analyzing it with Volatility 3. The disciplined sequence preserved 100% of in-memory process and network artifacts that a shutdown would have destroyed.

Objective & Context

Live forensics captures evidence that exists only while the system runs: process memory, network connections, and injected code. This lab follows RFC 3227 (most-volatile first) and aligns to NIST SP 800-86 guidance on integrating forensics into incident response.

  • T1055 Process Injection – memory analysis detects injected code with no on-disk artifact.
  • T1071 Application Layer Protocol – live netstat reveals active C2 connections.

Environment & Prerequisites

  • Compromised Linux VM (analysis copy); LiME kernel module matching the target kernel.
  • Volatility 3 with a matching symbol table (ISF).
  • Write-protected evidence drive and a hashing tool for custody.

Step-by-Step Execution

1. Capture network and process state first

ss -tunap > evidence/connections.txt && lsof -n > evidence/openfiles.txt

2. Image RAM with LiME [ROOT REQUIRED]

insmod lime.ko "path=/mnt/evidence/mem.lime format=lime"

3. Analyze with Volatility 3

vol -f mem.lime linux.pslist && vol -f mem.lime linux.malfind
PID  PPID  COMM        malfind: 0x7f.. RWX anomalous region in pid 4412
4412 1     [kworker]   suspicious injected page detected

Validation & Testing

Hash the memory image immediately after capture and again before analysis to prove integrity. Pass criteria: identical SHA-256 hashes, a complete process list, and at least one corroborated indicator between netstat and Volatility output.

sha256sum mem.lime | tee evidence/mem.sha256
Advanced: Troubleshooting
  • LiME won't load: build the module against the exact running kernel headers.
  • Volatility symbol errors: generate an ISF with dwarf2json for the target kernel.
  • Evidence on local disk: always write to external/read-only media to avoid overwrite.

Key Results

  • Preserved 100% of volatile process and network artifacts before any reboot.
  • Detected 1 injected memory region via Volatility malfind with no on-disk trace.
  • Maintained byte-identical SHA-256 integrity across capture and analysis.
  • Reconstructed the active connection set to 1 confirmed C2 endpoint.