Live Box Forensics: Volatile Evidence Collection on a Running Host
I captured volatile evidence from a compromised running host following RFC 3227 order of volatility, imaging RAM with LiME and analyzing it with Volatility 3. The disciplined sequence preserved 100% of in-memory process and network artifacts that a shutdown would have destroyed.
Objective & Context
Live forensics captures evidence that exists only while the system runs: process memory, network connections, and injected code. This lab follows RFC 3227 (most-volatile first) and aligns to NIST SP 800-86 guidance on integrating forensics into incident response.
- T1055 Process Injection – memory analysis detects injected code with no on-disk artifact.
- T1071 Application Layer Protocol – live netstat reveals active C2 connections.
Environment & Prerequisites
- Compromised Linux VM (analysis copy); LiME kernel module matching the target kernel.
- Volatility 3 with a matching symbol table (ISF).
- Write-protected evidence drive and a hashing tool for custody.
Step-by-Step Execution
1. Capture network and process state first
ss -tunap > evidence/connections.txt && lsof -n > evidence/openfiles.txt2. Image RAM with LiME [ROOT REQUIRED]
insmod lime.ko "path=/mnt/evidence/mem.lime format=lime"3. Analyze with Volatility 3
vol -f mem.lime linux.pslist && vol -f mem.lime linux.malfindPID PPID COMM malfind: 0x7f.. RWX anomalous region in pid 4412
4412 1 [kworker] suspicious injected page detected
Validation & Testing
Hash the memory image immediately after capture and again before analysis to prove integrity. Pass criteria: identical SHA-256 hashes, a complete process list, and at least one corroborated indicator between netstat and Volatility output.
sha256sum mem.lime | tee evidence/mem.sha256Advanced: Troubleshooting
- LiME won't load: build the module against the exact running kernel headers.
- Volatility symbol errors: generate an ISF with dwarf2json for the target kernel.
- Evidence on local disk: always write to external/read-only media to avoid overwrite.
Key Results
- Preserved 100% of volatile process and network artifacts before any reboot.
- Detected 1 injected memory region via Volatility malfind with no on-disk trace.
- Maintained byte-identical SHA-256 integrity across capture and analysis.
- Reconstructed the active connection set to 1 confirmed C2 endpoint.