Top 8 Tools To Search Memory Under Linux / Unix [ Forensics Analysis ]

Posted on in Categories Command Line Hacks, Hardware, Open Source, Programming last updated March 19, 2013

You can dump Linux or Unix server memory. This is useful for forensics analysis, and testing your own system. This is often desirable to see:

  • What code and what data actually resides in memory.
  • You can search for specific pids memory.
  • Search memory for string and other data such as passwords.
  • Works as add-on tool for gdb and others.
  • Search/replace/dump memory from running processes and core files.
  • All kinds of deep hacking activities that simply saves your time and solve problems.

LiME (Linux Memory Extractor)

From the project home page:

LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

=> Download LiME


From the project home page:

By using /dev/(k)mem or a memory dump, Draugr can be used to access easily in python to this memory, play (read, write, disassemble, search) with it … and can find system information (processes …) by different methods. It can find kernel symbols (pattern matching in a XML file or with EXPORT_SYMBOL), processes (informations and sections) (by the kernel linked list or bruteforce) and disassemble/dump the memory.

=> Download draugr


From the project home page:

Volatilitux is pretty much the equivalent of Volatility for Linux systems. Volatilitux supports the following architectures for physical memory dumps:
* x86
* x86 with PAE enabled

It supports the following commands:
* pslist: print the list of all process
* memmap: print the memory map of a process
* memdmp: dump the addressable memory of a process
* filelist: print the list of all open files for a given process
* filedmp: dump an open file

=> Download volatilitux.


It is a simple utility to dump all memory of a running process, either immediately or when a fault condition is discovered. It is an attractive alternative to the vastly inferior search capabilities of many debuggers and tracers – and a convenient way to grab “screenshots” from many types of text-based interactive utilities. To install memfetch:

## FreeBSD ##
pkg_add -r -v memfetch 
## other *nix user download it from the following url ##
tar xvf memfetch.tgz
cd memfetch && make

=> Download memfetch

Crash utility from Red Hat, Inc

The core analysis suite is a self-contained tool that can be used to investigate either live systems, kernel core dumps created from the netdump, diskdump and kdump packages from Red Hat Linux, the mcore kernel patch ffered by Mission Critical Linux, or the LKCD kernel patch. This tool can be utilized for memory forensics. To install:

## RHEL / CentOS ##
yum install crash
## Novell / Suse / OpenSUSE ##
zypper install yast2-kdump

=> Download crash


A simple utility to search/replace/dump memory from running processes and core files. To install:

## FreeBSD ##
pkg_add -r -v memgrep

=> Download memgrep.


This program dumps system memory to the standard output stream, skipping over holes in memory maps. By default, the program dumps the contents of physical memory. This software is distributed under the IBM Public License. To install memdump:

## Debian / ubuntu Linux ##
sudo apt-get install memdump
## FreeBSD ##
pkg_add -r -v memdupm

See man page for usage information:
man memdupm

=> Download memdump.


It is another tool for extraction of information such as the process and modules lists from a RAM image using logical relations between OS structures.

=> Download foriana

If you have any other tips and tools you’d like to add, please share them in the comments below!

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

7 comment

  1. Nice Article,

    But a little Quick & Dirty example would be nice per program…
    No Biggy, Will try them all !


Comments are closed.