Linux Memory Forensics: Dissecting the User Space Process Heap

by

by Frank Block and Andreas Dewald

The analysis of memory during a forensic investigation is often an important step to reconstruct events. While prior work in this field has mostly concentrated on information residing in the kernel space (process lists, network connections, and so on) and in particular on the Microsoft Windows operating system, this work focuses on Linux user space processes as they might also contain valuable information for an investigation. Because a lot of process data is located in the heap, this work in the first place concentrates on the analysis of Glibc’s heap implementation and on how and where heap related information is stored in the virtual memory of Linux processes that use the Glibc heap implementation. Up to now, the heap was mostly considered a large cohesive memory region from a memory forensics perspective, making it rather hard manual work to identify relevant information inside.

Read More

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-may-15-2024/

Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-may-15-2024/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_AfSiWHngSnw

Digital Forensics News Round-Up, May 15 2024 #dfir #computerforensics

Forensic Focus 15th May 2024 4:55 pm

Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-may-15-2024/

Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-may-15-2024/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_Mqq8XgKvup4

Digital Forensics News Round-Up, May 15 2024 #dfir #computerforensics

Forensic Focus 15th May 2024 3:58 pm

In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image. From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case. Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice. Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability. Useful links: Amped FIVE - https://ampedsoftware.com/five Video Evidence Principles - https://blog.ampedsoftware.com/2023/0... CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

In this webinar, David Spreadborough, Forensic Analyst at Amped Software, provides a closer look at those important early stages in investigations involving video evidence. Starting with establishing the integrity of the digital data and evaluating the authenticity of the produced visual image.

From demonstrative timelines to speed estimation, the evidential foundations are paramount in every case.

Failure to consider these steps and misinterpreting the data can cause unnecessary delays, mistakes, and potentially even miscarriages of justice.

Amped FIVE is used to conduct data analysis, file conversion, and assessment of image reliability.

Useful links:

Amped FIVE - https://ampedsoftware.com/five
Video Evidence Principles - https://blog.ampedsoftware.com/2023/0...
CCTV Acquisition introduction - https://blog.ampedsoftware.com/2023/0...

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_dnSPwNdMn5M

Investigating Video: The Vital First Steps

Forensic Focus 13th May 2024 10:09 am

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles

Accelerating Evidence Analysis: An Investigator’s Take On The Advantages Of Media Acquisition From Detego Global
News

Accelerating Evidence Analysis: An Investigator’s Take On The Advantages Of Media Acquisition From Detego Global

ByDetego Digital ForensicsMay 16, 2024
The Differences Between Full Disk And Triage Acquisition
News

The Differences Between Full Disk And Triage Acquisition

ByCado SecurityMay 16, 2024
Digital Forensics Round-Up, May 15 2024
News

Digital Forensics Round-Up, May 15 2024

ByForensic FocusMay 15, 2024
Investigating Video: The Vital First Steps
Webinars

Investigating Video: The Vital First Steps

ByAmpedSoftwareMay 13, 2024
Forensic Focus Digest, May 10 2024
News

Forensic Focus Digest, May 10 2024

ByForensic FocusMay 10, 2024
Oxygen Forensic® KeyDiver
Webinars

Oxygen Forensic® KeyDiver

ByOxygenForensicsMay 9, 2024