Live Box Forensics

AdvancedSecurity
volatilityddstringslsof

Objective

Hands-on practice with live box forensics techniques.

Tools & Technologies

  • volatility
  • dd
  • strings
  • lsof

Key Commands

dd if=/dev/mem of=memory.dump bs=1M
lsof -p PID
strings memory.dump | grep -i password
ps auxf

Lab Steps

01
Memory Acquisition

Capture a memory dump from a running system with minimal disruption.

02
Process Analysis

Examine running processes, loaded modules, and network connections.

03
String Extraction

Extract readable strings from memory dumps to find artifacts.

04
File Handle Analysis

Use lsof to identify open files and network connections per process.

Challenges Encountered

  • Memory acquisition tools may not work on all kernel versions
  • Anti-forensic techniques can hide processes from ps

Key Takeaways

  • Live acquisition captures volatile data that disappears on reboot
  • Analyze memory in a read-only manner to avoid contamination