Loading ...
Sorry, an error occurred while loading the content.
 

Linux - address translation

Expand Messages
  • suba_surianarayanan
    Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for
    Message 1 of 19 , Jan 1, 2012
      Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.

      Also, is there any material available that explains the virtual address to physical address translation in Linux?

      I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!

      ~Suba
    • Simson Garfinkel
      I am happy to create some. Please let me know what you would like to see in it. ... [Non-text portions of this message have been removed]
      Message 2 of 19 , Jan 2, 2012
        I am happy to create some. Please let me know what you would like to see in it.

        On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:

        > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
        >
        > Also, is there any material available that explains the virtual address to physical address translation in Linux?
        >
        > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
        >
        > ~Suba
        >
        >



        [Non-text portions of this message have been removed]
      • J L
        Hi Suba, Here are a few samples that are available online: https://www.honeynet.org/challenges/2011_7_compromised_server
        Message 3 of 19 , Jan 2, 2012
          Hi Suba,

          Here are a few samples that are available online:

          https://www.honeynet.org/challenges/2011_7_compromised_server


          http://www.dfrws.org/2008/challenge/submission.shtml


          http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz


          Also make sure to check out the Linux branch of Volatility and various plugins that are available for getting information from Linux machines:


          http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-support


          We also have documentation on how to download and use the Linux branch of Volatility:


          http://code.google.com/p/volatility/wiki/LinuxMemoryForensics

          All the best,

          -Jamie Levy




          ________________________________
          From: suba_surianarayanan <suba_surianarayanan@...>
          To: linux_forensics@yahoogroups.com
          Sent: Monday, January 2, 2012 1:29 AM
          Subject: [linux_forensics] Linux - address translation


           
          Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.

          Also, is there any material available that explains the virtual address to physical address translation in Linux?

          I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!

          ~Suba




          [Non-text portions of this message have been removed]
        • tgotelnet
          You should also check out the papers, presentations, and other tools listed on the forensics wiki as well:
          Message 4 of 19 , Jan 3, 2012
            You should also check out the papers, presentations, and other tools listed on the forensics wiki as well:

            http://www.forensicswiki.org/wiki/Linux_Memory_Analysis

            --- In linux_forensics@yahoogroups.com, J L <gl33da@...> wrote:
            >
            > Hi Suba,
            >
            > Here are a few samples that are available online:
            >
            > https://www.honeynet.org/challenges/2011_7_compromised_server
            >
            >
            > http://www.dfrws.org/2008/challenge/submission.shtml
            >
            >
            > http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
            >
            >
            > Also make sure to check out the Linux branch of Volatility and various plugins that are available for getting information from Linux machines:
            >
            >
            > http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-support
            >
            >
            > We also have documentation on how to download and use the Linux branch of Volatility:
            >
            >
            > http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
            >
            > All the best,
            >
            > -Jamie Levy
            >
            >
            >
            >
            > ________________________________
            > From: suba_surianarayanan <suba_surianarayanan@...>
            > To: linux_forensics@yahoogroups.com
            > Sent: Monday, January 2, 2012 1:29 AM
            > Subject: [linux_forensics] Linux - address translation
            >
            >
            >  
            > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
            >
            > Also, is there any material available that explains the virtual address to physical address translation in Linux?
            >
            > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
            >
            > ~Suba
            >
            >
            >
            >
            > [Non-text portions of this message have been removed]
            >
          • suba surianarayanan
            Thank you for the link. I am finding it very useful and informative.   ~Suba ________________________________ From: tgotelnet To:
            Message 5 of 19 , Jan 5, 2012
              Thank you for the link. I am finding it very useful and informative.
               
              ~Suba


              ________________________________
              From: tgotelnet <atcuno@...>
              To: linux_forensics@yahoogroups.com
              Sent: Tuesday, January 3, 2012 11:04 PM
              Subject: [linux_forensics] Re: Linux - address translation

              You should also check out the papers, presentations, and other tools listed on the forensics wiki as well:

              http://www.forensicswiki.org/wiki/Linux_Memory_Analysis

              --- In linux_forensics@yahoogroups.com, J L <gl33da@...> wrote:
              >
              > Hi Suba,
              >
              > Here are a few samples that are available online:
              >
              > https://www.honeynet.org/challenges/2011_7_compromised_server
              >
              >
              > http://www.dfrws.org/2008/challenge/submission.shtml
              >
              >
              > http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz
              >
              >
              > Also make sure to check out the Linux branch of Volatility and various plugins that are available for getting information from Linux machines:
              >
              >
              > http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-support
              >
              >
              > We also have documentation on how to download and use the Linux branch of Volatility:
              >
              >
              > http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
              >
              > All the best,
              >
              > -Jamie Levy
              >
              >
              >
              >
              > ________________________________
              >  From: suba_surianarayanan <suba_surianarayanan@...>
              > To: linux_forensics@yahoogroups.com
              > Sent: Monday, January 2, 2012 1:29 AM
              > Subject: [linux_forensics] Linux - address translation

              >
              >  
              > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
              >
              > Also, is there any material available that explains the virtual address to physical address translation in Linux?
              >
              > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
              >
              > ~Suba
              >
              >

              >
              > [Non-text portions of this message have been removed]
              >




              ------------------------------------

              Yahoo! Groups Links



              [Non-text portions of this message have been removed]
            • suba surianarayanan
              JL,   Thanks for the links to the dump files and Volatility...   I am trying to work my way through kernel data structures, starting at process structures.
              Message 6 of 19 , Jan 5, 2012
                JL,
                 
                Thanks for the links to the dump files and Volatility...
                 
                I am trying to work my way through kernel data structures, starting at process structures. (based on a few papers I got through this forum). For this, I used the DFRWS memory dump and system.map file.
                 
                Here's the problem I faced - After getting the virtual address of init_task from the system.map, I converted it to physical address (deducting 0xC0000000). When I use this physical address to find the next task_struct from the dump, I am not getting any valid structure at the offset (used WinHex to view the dump). Am I missing something here?
                 
                Thanks,
                Suba
                 

                ________________________________
                From: J L <gl33da@...>
                To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                Sent: Tuesday, January 3, 2012 5:13 AM
                Subject: Re: [linux_forensics] Linux - address translation

                Hi Suba,

                Here are a few samples that are available online:

                https://www.honeynet.org/challenges/2011_7_compromised_server


                http://www.dfrws.org/2008/challenge/submission.shtml


                http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz


                Also make sure to check out the Linux branch of Volatility and various plugins that are available for getting information from Linux machines:


                http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-support


                We also have documentation on how to download and use the Linux branch of Volatility:


                http://code.google.com/p/volatility/wiki/LinuxMemoryForensics

                All the best,

                -Jamie Levy




                ________________________________
                From: suba_surianarayanan <suba_surianarayanan@...>
                To: linux_forensics@yahoogroups.com
                Sent: Monday, January 2, 2012 1:29 AM
                Subject: [linux_forensics] Linux - address translation


                 
                Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.

                Also, is there any material available that explains the virtual address to physical address translation in Linux?

                I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!

                ~Suba




                [Non-text portions of this message have been removed]



                ------------------------------------

                Yahoo! Groups Links



                [Non-text portions of this message have been removed]
              • suba surianarayanan
                It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are
                Message 7 of 19 , Jan 5, 2012
                  It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.
                   
                  Or it would even be better if you could send me the steps to create dumps on Linux :-)
                   
                  Thanks,
                  Suba


                  ________________________________
                  From: Simson Garfinkel <simsong@...>
                  To: linux_forensics@yahoogroups.com
                  Sent: Monday, January 2, 2012 9:41 PM
                  Subject: Re: [linux_forensics] Linux - address translation

                  I am happy to create some. Please let me know what you would like to see in it.

                  On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:

                  > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                  >
                  > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                  >
                  > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                  >
                  > ~Suba
                  >
                  >



                  [Non-text portions of this message have been removed]



                  ------------------------------------

                  Yahoo! Groups Links



                  [Non-text portions of this message have been removed]
                • Simson Garfinkel
                  Just run on VMWare, suspend, and grab the memory file! ... [Non-text portions of this message have been removed]
                  Message 8 of 19 , Jan 5, 2012
                    Just run on VMWare, suspend, and grab the memory file!

                    On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                    > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.
                    >
                    > Or it would even be better if you could send me the steps to create dumps on Linux :-)
                    >
                    > Thanks,
                    > Suba
                    >
                    >
                    > ________________________________
                    > From: Simson Garfinkel <simsong@...>
                    > To: linux_forensics@yahoogroups.com
                    > Sent: Monday, January 2, 2012 9:41 PM
                    > Subject: Re: [linux_forensics] Linux - address translation
                    >
                    > I am happy to create some. Please let me know what you would like to see in it.
                    >
                    > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                    >
                    > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                    > >
                    > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                    > >
                    > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                    > >
                    > > ~Suba
                    > >
                    > >
                    >
                    > [Non-text portions of this message have been removed]
                    >
                    > ------------------------------------
                    >
                    > Yahoo! Groups Links
                    >
                    > [Non-text portions of this message have been removed]
                    >
                    >



                    [Non-text portions of this message have been removed]
                  • suba surianarayanan
                    Got it figured out! swapper gave away init_task... and after some analysis got the linked list pointer offsets too - for kernel 2.6.18...   Thanks, Suba
                    Message 9 of 19 , Jan 11, 2012
                      Got it figured out! "swapper" gave away init_task... and after some analysis got the linked list pointer offsets too - for kernel 2.6.18...
                       
                      Thanks,
                      Suba


                      ________________________________
                      From: suba surianarayanan <suba_surianarayanan@...>
                      To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                      Sent: Thursday, January 5, 2012 10:01 PM
                      Subject: Re: [linux_forensics] Linux - address translation


                      JL,
                       
                      Thanks for the links to the dump files and Volatility...
                       
                      I am trying to work my way through kernel data structures, starting at process structures. (based on a few papers I got through this forum). For this, I used the DFRWS memory dump and system.map file.
                       
                      Here's the problem I faced - After getting the virtual address of init_task from the system.map, I converted it to physical address (deducting 0xC0000000). When I use this physical address to find the next task_struct from the dump, I am not getting any valid structure at the offset (used WinHex to view the dump). Am I missing something here?
                       
                      Thanks,
                      Suba
                       

                      ________________________________
                      From: J L <gl33da@...>
                      To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                      Sent: Tuesday, January 3, 2012 5:13 AM
                      Subject: Re: [linux_forensics] Linux - address translation

                      Hi Suba,

                      Here are a few samples that are available online:

                      https://www.honeynet.org/challenges/2011_7_compromised_server


                      http://www.dfrws.org/2008/challenge/submission.shtml


                      http://forensic.korea.ac.kr/volafox/files/FreeBSD8/FreeBSD.vmem.gz


                      Also make sure to check out the Linux branch of Volatility and various plugins that are available for getting information from Linux machines:


                      http://code.google.com/p/volatility/source/browse/#svn%2Fbranches%2Flin64-support


                      We also have documentation on how to download and use the Linux branch of Volatility:


                      http://code.google.com/p/volatility/wiki/LinuxMemoryForensics

                      All the best,

                      -Jamie
                      Levy




                      ________________________________
                      From: suba_surianarayanan <suba_surianarayanan@...>
                      To: linux_forensics@yahoogroups.com
                      Sent: Monday, January 2, 2012 1:29 AM
                      Subject: [linux_forensics] Linux - address translation


                       
                      Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.

                      Also, is there any material available that explains the virtual address to physical address translation in Linux?

                      I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!

                      ~Suba




                      [Non-text portions of this message
                      have been removed]



                      ------------------------------------

                      Yahoo! Groups Links




                      [Non-text portions of this message have been removed]
                    • suba surianarayanan
                      I am now working with Fedora with kernel 2.6.18 on vmware and would like to get some debug information from it. But the Linux seems to be compiled with a
                      Message 10 of 19 , Feb 24, 2012
                        I am now working with Fedora with kernel 2.6.18 on vmware and would like to get some debug information from it. But the Linux seems to be compiled with a compressed kernel. I tried the one-liner scripts available in the internet to extract the vmlinux from vmlinuz but that does't work...
                         
                        Could anyone please tell me where I could get a Linux vmware image with an uncompressed kernel (2.6 version)?
                         
                        Thanks in advance!
                        ~Suba


                        > ________________________________
                        > From: Simson Garfinkel <simsong@...>
                        > To: linux_forensics@yahoogroups.com
                        > Sent: Monday, January 2, 2012 9:41 PM
                        > Subject: Re: [linux_forensics] Linux - address translation
                        >
                        > I am happy to create some. Please let me know what you would like to see in it.
                        >
                        > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                        >
                        > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                        > >
                        > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                        > >
                        > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                        > >
                        > > ~Suba
                        > >
                        > >
                        >
                        > [Non-text portions of this message have been removed]
                        >
                        > ------------------------------------
                        >
                        > Yahoo! Groups Links
                        >
                        > [Non-text portions of this message have been removed]
                        >
                        >



                        [Non-text portions of this message have been removed]



                        ------------------------------------

                        Yahoo! Groups Links



                        [Non-text portions of this message have been removed]
                      • Andrew Case
                        All distros distribute the compressed vmlinux file (vmlinuz) and thats what is booted from. You will need to find the debug package for your particular kernel
                        Message 11 of 19 , Feb 24, 2012
                          All distros distribute the compressed vmlinux file (vmlinuz) and thats what
                          is booted from.

                          You will need to find the debug package for your particular kernel and that
                          will have the vmlinux file.

                          What type of debug info do you want?

                          If you want just the addresses of symbol,s then you can use the system.map
                          file that comes with the distro (check under /boot)

                          If you want other info (such as structure definitions), then you will
                          definitely need the vmlinux file.

                          On Fri, Feb 24, 2012 at 8:18 PM, suba surianarayanan <
                          suba_surianarayanan@...> wrote:

                          > **
                          >
                          >
                          > I am now working with Fedora with kernel 2.6.18 on vmware and would like
                          > to get some debug information from it. But the Linux seems to be compiled
                          > with a compressed kernel. I tried the one-liner scripts available in the
                          > internet to extract the vmlinux from vmlinuz but that does't work...
                          >
                          > Could anyone please tell me where I could get a Linux vmware image with an
                          > uncompressed kernel (2.6 version)?
                          >
                          > Thanks in advance!
                          > ~Suba
                          >
                          > > ________________________________
                          > > From: Simson Garfinkel <simsong@...>
                          > > To: linux_forensics@yahoogroups.com
                          > > Sent: Monday, January 2, 2012 9:41 PM
                          > > Subject: Re: [linux_forensics] Linux - address translation
                          > >
                          > > I am happy to create some. Please let me know what you would like to see
                          > in it.
                          > >
                          > > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                          > >
                          > > > Are there any Linux memory dump images available for
                          > experimantal/research purpose? (Any version of kernel would do.) Images for
                          > Windows are available for analysis.
                          > > >
                          > > > Also, is there any material available that explains the virtual
                          > address to physical address translation in Linux?
                          > > >
                          > > > I am student wanting to do a project in the field of Linux memory
                          > forensics - any help would be greatly appreciated!
                          > > >
                          > > > ~Suba
                          > > >
                          > > >
                          > >
                          > > [Non-text portions of this message have been removed]
                          > >
                          > > ------------------------------------
                          > >
                          > > Yahoo! Groups Links
                          > >
                          > > [Non-text portions of this message have been removed]
                          > >
                          > >
                          >
                          > [Non-text portions of this message have been removed]
                          >
                          > ------------------------------------
                          >
                          > Yahoo! Groups Links
                          >
                          > [Non-text portions of this message have been removed]
                          >
                          >
                          >


                          [Non-text portions of this message have been removed]
                        • suba surianarayanan
                          Nice to get a reply from one of the authors of my project s reference papers!  Could you also please suggest any project idea based on process structure
                          Message 12 of 19 , Feb 25, 2012
                            Nice to get a reply from one of the authors of my project's reference papers!  Could you also please suggest any project idea based on process structure parsing? It would be a big help!
                             
                            And thanks! I want the structure definitions and got the kernel debug info using yum. But somehow during the updates and all the repository list tweaking, the kernel got updated and the crash utility is having a problem with mismatch between namelist, map file and dump file. Getting a newer version of Fedora to work with now...
                             
                            Thanks,
                            Suba


                            ________________________________
                            From: Andrew Case <atcuno@...>
                            To: linux_forensics@yahoogroups.com
                            Sent: Saturday, February 25, 2012 7:55 AM
                            Subject: Re: [linux_forensics] Linux - address translation

                            All distros distribute the compressed vmlinux file (vmlinuz) and thats what
                            is booted from.

                            You will need to find the debug package for your particular kernel and that
                            will have the vmlinux file.

                            What type of debug info do you want?

                            If you want just the addresses of symbol,s then you can use the system.map
                            file that comes with the distro (check under /boot)

                            If you want other info (such as structure definitions), then you will
                            definitely need the vmlinux file.

                            On Fri, Feb 24, 2012 at 8:18 PM, suba surianarayanan <
                            suba_surianarayanan@...> wrote:

                            > **
                            >
                            >
                            > I am now working with Fedora with kernel 2.6.18 on vmware and would like
                            > to get some debug information from it. But the Linux seems to be compiled
                            > with a compressed kernel. I tried the one-liner scripts available in the
                            > internet to extract the vmlinux from vmlinuz but that does't work...
                            >
                            > Could anyone please tell me where I could get a Linux vmware image with an
                            > uncompressed kernel (2.6 version)?
                            >
                            > Thanks in advance!
                            > ~Suba
                            >
                            > > ________________________________
                            > > From: Simson Garfinkel <simsong@...>
                            > > To: linux_forensics@yahoogroups.com
                            > > Sent: Monday, January 2, 2012 9:41 PM
                            > > Subject: Re: [linux_forensics] Linux - address translation
                            > >
                            > > I am happy to create some. Please let me know what you would like to see
                            > in it.
                            > >
                            > > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                            > >
                            > > > Are there any Linux memory dump images available for
                            > experimantal/research purpose? (Any version of kernel would do.) Images for
                            > Windows are available for analysis.
                            > > >
                            > > > Also, is there any material available that explains the virtual
                            > address to physical address translation in Linux?
                            > > >
                            > > > I am student wanting to do a project in the field of Linux memory
                            > forensics - any help would be greatly appreciated!
                            > > >
                            > > > ~Suba
                            > > >
                            > > >
                            > >
                            > > [Non-text portions of this message have been removed]
                            > >
                            > > ------------------------------------
                            > >
                            > > Yahoo! Groups Links
                            > >
                            > > [Non-text portions of this message have been removed]
                            > >
                            > >
                            >
                            > [Non-text portions of this message have been removed]
                            >
                            > ------------------------------------
                            >
                            > Yahoo! Groups Links
                            >
                            > [Non-text portions of this message have been removed]
                            >

                            >


                            [Non-text portions of this message have been removed]



                            ------------------------------------

                            Yahoo! Groups Links



                            [Non-text portions of this message have been removed]
                          • Andrew Case
                            Could you also please suggest any project idea based on process structure parsing? I am not sure what you mean? A project based on processes and enumerating
                            Message 13 of 19 , Feb 25, 2012
                              "Could you also please suggest any project idea based on process structure
                              parsing?"

                              I am not sure what you mean? A project based on processes and enumerating
                              them?

                              There has been quite a bit of work already related to processes and such in
                              memory, you may want to look at the papers listed here:

                              http://www.forensicswiki.org/wiki/Linux_Memory_Analysis

                              If you could tell more about your project then I could help guide better...



                              On Sat, Feb 25, 2012 at 12:44 PM, suba surianarayanan <
                              suba_surianarayanan@...> wrote:

                              > **
                              >
                              >
                              > Nice to get a reply from one of the authors of my project's reference
                              > papers! Could you also please suggest any project idea based on process
                              > structure parsing? It would be a big help!
                              >
                              > And thanks! I want the structure definitions and got the kernel debug info
                              > using yum. But somehow during the updates and all the repository list
                              > tweaking, the kernel got updated and the crash utility is having a problem
                              > with mismatch between namelist, map file and dump file. Getting a newer
                              > version of Fedora to work with now...
                              >
                              > Thanks,
                              > Suba
                              >
                              >
                              > ________________________________
                              > From: Andrew Case <atcuno@...>
                              > To: linux_forensics@yahoogroups.com
                              > Sent: Saturday, February 25, 2012 7:55 AM
                              >
                              > Subject: Re: [linux_forensics] Linux - address translation
                              >
                              > All distros distribute the compressed vmlinux file (vmlinuz) and thats what
                              > is booted from.
                              >
                              > You will need to find the debug package for your particular kernel and that
                              > will have the vmlinux file.
                              >
                              > What type of debug info do you want?
                              >
                              > If you want just the addresses of symbol,s then you can use the system.map
                              > file that comes with the distro (check under /boot)
                              >
                              > If you want other info (such as structure definitions), then you will
                              > definitely need the vmlinux file.
                              >
                              > On Fri, Feb 24, 2012 at 8:18 PM, suba surianarayanan <
                              > suba_surianarayanan@...> wrote:
                              >
                              > > **
                              >
                              > >
                              > >
                              > > I am now working with Fedora with kernel 2.6.18 on vmware and would like
                              > > to get some debug information from it. But the Linux seems to be compiled
                              > > with a compressed kernel. I tried the one-liner scripts available in the
                              > > internet to extract the vmlinux from vmlinuz but that does't work...
                              > >
                              > > Could anyone please tell me where I could get a Linux vmware image with
                              > an
                              > > uncompressed kernel (2.6 version)?
                              > >
                              > > Thanks in advance!
                              > > ~Suba
                              > >
                              > > > ________________________________
                              > > > From: Simson Garfinkel <simsong@...>
                              > > > To: linux_forensics@yahoogroups.com
                              > > > Sent: Monday, January 2, 2012 9:41 PM
                              > > > Subject: Re: [linux_forensics] Linux - address translation
                              > > >
                              > > > I am happy to create some. Please let me know what you would like to
                              > see
                              > > in it.
                              > > >
                              > > > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                              > > >
                              > > > > Are there any Linux memory dump images available for
                              > > experimantal/research purpose? (Any version of kernel would do.) Images
                              > for
                              > > Windows are available for analysis.
                              > > > >
                              > > > > Also, is there any material available that explains the virtual
                              > > address to physical address translation in Linux?
                              > > > >
                              > > > > I am student wanting to do a project in the field of Linux memory
                              > > forensics - any help would be greatly appreciated!
                              > > > >
                              > > > > ~Suba
                              > > > >
                              > > > >
                              > > >
                              > > > [Non-text portions of this message have been removed]
                              > > >
                              > > > ------------------------------------
                              > > >
                              > > > Yahoo! Groups Links
                              > > >
                              > > > [Non-text portions of this message have been removed]
                              > > >
                              > > >
                              > >
                              > > [Non-text portions of this message have been removed]
                              > >
                              > > ------------------------------------
                              > >
                              > > Yahoo! Groups Links
                              > >
                              > > [Non-text portions of this message have been removed]
                              > >
                              > >
                              > >
                              >
                              > [Non-text portions of this message have been removed]
                              >
                              > ------------------------------------
                              >
                              > Yahoo! Groups Links
                              >
                              > [Non-text portions of this message have been removed]
                              >
                              >
                              >


                              [Non-text portions of this message have been removed]
                            • suba surianarayanan
                              I have obtained the snapshots as you said, but the TCP conections on  the Guest OS seem to get terminated while a snapshot is  being taken. Is there a
                              Message 14 of 19 , Apr 7, 2012
                                I have obtained the snapshots as you said, but the TCP conections on  the Guest OS seem to get terminated while a snapshot is  being taken. Is there a way to get the tcp states preserved in the snapshot?
                                 
                                Regards,
                                Suba


                                ________________________________
                                From: Simson Garfinkel <simsong@...>
                                To: linux_forensics@yahoogroups.com
                                Sent: Friday, January 6, 2012 6:04 AM
                                Subject: Re: [linux_forensics] Linux - address translation

                                Just run on VMWare, suspend, and grab the memory file!

                                On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                                > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.

                                > Or it would even be better if you could send me the steps to create dumps on Linux :-)

                                > Thanks,
                                > Suba
                                >
                                >
                                > ________________________________
                                > From: Simson Garfinkel <simsong@...>
                                > To: linux_forensics@yahoogroups.com
                                > Sent: Monday, January 2, 2012 9:41 PM
                                > Subject: Re: [linux_forensics] Linux - address translation
                                >
                                > I am happy to create some.
                                Please let me know what you would like to see in it.
                                >
                                > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                                >
                                > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                                > >
                                > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                                > >
                                > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                                > >
                                > > ~Suba
                                > >
                                > >
                                >
                                > [Non-text portions of this message have been removed]
                                >
                                > ------------------------------------
                                >
                                > Yahoo! Groups Links
                                >
                                > [Non-text portions of this message have been removed]
                                >
                                >



                                [Non-text portions of this message have
                                been removed]



                                ------------------------------------

                                Yahoo! Groups Links




                                [Non-text portions of this message have been removed]
                              • suba surianarayanan
                                Is there a better way to get the memory dump of a guest OS running on vmware? Any answers? Please!   Regards, Suba ... From: suba surianarayanan
                                Message 15 of 19 , Apr 11, 2012
                                  Is there a better way to get the memory dump of a guest OS running on vmware?
                                  Any answers? Please!
                                   
                                  Regards,
                                  Suba

                                  ----- Forwarded Message -----
                                  From: suba surianarayanan <suba_surianarayanan@...>
                                  To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                  Sent: Sunday, April 8, 2012 9:26 AM
                                  Subject: Re: [linux_forensics] Linux - address translation

                                  I have obtained the snapshots as you said, but the TCP conections on  the Guest OS seem to get terminated while a snapshot is  being taken. Is there a way to get the tcp states preserved in the snapshot?
                                   
                                  Regards,
                                  Suba


                                  ________________________________
                                  From: Simson Garfinkel <simsong@...>
                                  To: linux_forensics@yahoogroups.com
                                  Sent: Friday, January 6, 2012 6:04 AM
                                  Subject: Re: [linux_forensics] Linux - address translation
                                   
                                  Just run on VMWare, suspend, and grab the memory file!

                                  On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                                  > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.

                                  > Or it would even be better if you could send me the steps to create dumps on Linux :-)

                                  > Thanks,
                                  > Suba
                                  >
                                  >
                                  > ________________________________
                                  > From: Simson Garfinkel <simsong@...>
                                  > To: linux_forensics@yahoogroups.com
                                  > Sent: Monday, January 2, 2012 9:41 PM
                                  > Subject: Re: [linux_forensics] Linux - address translation
                                  >
                                  > I am happy to create some.
                                  Please let me know what you would like to see in it.
                                  >
                                  > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                                  >
                                  > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                                  > >
                                  > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                                  > >
                                  > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                                  > >
                                  > > ~Suba
                                  > >
                                  > >
                                  >
                                  > [Non-text portions of this message have been removed]
                                  >
                                  > ------------------------------------
                                  >
                                  > Yahoo! Groups Links
                                  >
                                  > [Non-text portions of this message have been removed]
                                  >
                                  >



                                  [Non-text portions of this message have
                                  been removed]



                                  ------------------------------------

                                  Yahoo! Groups Links




                                  [Non-text portions of this message have been removed]



                                  ------------------------------------

                                  Yahoo! Groups Links



                                  [Non-text portions of this message have been removed]
                                • depshlomo@yahoo.com
                                  When you put the vm to sleep it creates a vm file for the memory just copy that file Shlomo Sent from my Verizon Wireless BlackBerry ... From: suba
                                  Message 16 of 19 , Apr 11, 2012
                                    When you put the vm to sleep it creates a vm file for the memory just copy that file

                                    Shlomo
                                    Sent from my Verizon Wireless BlackBerry

                                    -----Original Message-----
                                    From: suba surianarayanan <suba_surianarayanan@...>
                                    Sender: linux_forensics@yahoogroups.com
                                    Date: Wed, 11 Apr 2012 06:34:51
                                    To: linux_forensics@yahoogroups.com<linux_forensics@yahoogroups.com>
                                    Reply-To: linux_forensics@yahoogroups.com
                                    Subject: [linux_forensics] memory dump from vmware

                                    Is there a better way to get the memory dump of a guest OS running on vmware?
                                    Any answers? Please!

                                    Regards,
                                    Suba

                                    ----- Forwarded Message -----
                                    From: suba surianarayanan <suba_surianarayanan@...>
                                    To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                    Sent: Sunday, April 8, 2012 9:26 AM
                                    Subject: Re: [linux_forensics] Linux - address translation

                                    I have�obtained the snapshots as you said, but the�TCP�conections on� the Guest OS�seem to get terminated while a snapshot is� being taken. Is there a way to get the tcp states preserved in the snapshot?

                                    Regards,
                                    Suba


                                    ________________________________
                                    From: Simson Garfinkel <simsong@...>
                                    To: linux_forensics@yahoogroups.com
                                    Sent: Friday, January 6, 2012 6:04 AM
                                    Subject: Re: [linux_forensics] Linux - address translation

                                    Just run on VMWare, suspend, and grab the memory file!

                                    On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                                    > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.
                                    >�
                                    > Or it would even be better if you could send me the steps to create dumps on Linux :-)
                                    >�
                                    > Thanks,
                                    > Suba
                                    >
                                    >
                                    > ________________________________
                                    > From: Simson Garfinkel <simsong@...>
                                    > To: linux_forensics@yahoogroups.com
                                    > Sent: Monday, January 2, 2012 9:41 PM
                                    > Subject: Re: [linux_forensics] Linux - address translation
                                    >
                                    > I am happy to create some.
                                    Please let me know what you would like to see in it.
                                    >
                                    > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                                    >
                                    > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                                    > >
                                    > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                                    > >
                                    > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                                    > >
                                    > > ~Suba
                                    > >
                                    > >
                                    >
                                    > [Non-text portions of this message have been removed]
                                    >
                                    > ------------------------------------
                                    >
                                    > Yahoo! Groups Links
                                    >
                                    > [Non-text portions of this message have been removed]
                                    >
                                    >



                                    [Non-text portions of this message have
                                    been removed]



                                    ------------------------------------

                                    Yahoo! Groups Links




                                    [Non-text portions of this message have been removed]



                                    ------------------------------------

                                    Yahoo! Groups Links



                                    [Non-text portions of this message have been removed]




                                    [Non-text portions of this message have been removed]
                                  • Echo6
                                    Is this for research purposes? Take a look at the Red Hat crash driver, more info here http://www.forensicswiki.org/wiki/Tools:Memory_Imaging including a link
                                    Message 17 of 19 , Apr 11, 2012
                                      Is this for research purposes?

                                      Take a look at the Red Hat crash driver, more info here http://www.forensicswiki.org/wiki/Tools:Memory_Imaging including a link to Jamie Levy's blog.

                                      Jon.



                                      ________________________________
                                      From: suba surianarayanan <suba_surianarayanan@...>
                                      To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                      Sent: Wednesday, April 11, 2012 2:34 PM
                                      Subject: [linux_forensics] memory dump from vmware


                                       
                                      Is there a better way to get the memory dump of a guest OS running on vmware?
                                      Any answers? Please!
                                       
                                      Regards,
                                      Suba

                                      ----- Forwarded Message -----
                                      From: suba surianarayanan <suba_surianarayanan@...>
                                      To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                      Sent: Sunday, April 8, 2012 9:26 AM
                                      Subject: Re: [linux_forensics] Linux - address translation

                                      I have obtained the snapshots as you said, but the TCP conections on  the Guest OS seem to get terminated while a snapshot is  being taken. Is there a way to get the tcp states preserved in the snapshot?
                                       
                                      Regards,
                                      Suba

                                      ________________________________
                                      From: Simson Garfinkel <simsong@...>
                                      To: linux_forensics@yahoogroups.com
                                      Sent: Friday, January 6, 2012 6:04 AM
                                      Subject: Re: [linux_forensics] Linux - address translation
                                       
                                      Just run on VMWare, suspend, and grab the memory file!

                                      On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                                      > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.

                                      > Or it would even be better if you could send me the steps to create dumps on Linux :-)

                                      > Thanks,
                                      > Suba
                                      >
                                      >
                                      > ________________________________
                                      > From: Simson Garfinkel <simsong@...>
                                      > To: linux_forensics@yahoogroups.com
                                      > Sent: Monday, January 2, 2012 9:41 PM
                                      > Subject: Re: [linux_forensics] Linux - address translation
                                      >
                                      > I am happy to create some.
                                      Please let me know what you would like to see in it.
                                      >
                                      > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                                      >
                                      > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                                      > >
                                      > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                                      > >
                                      > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                                      > >
                                      > > ~Suba
                                      > >
                                      > >
                                      >
                                      > [Non-text portions of this message have been removed]
                                      >
                                      > ------------------------------------
                                      >
                                      > Yahoo! Groups Links
                                      >
                                      > [Non-text portions of this message have been removed]
                                      >
                                      >

                                      [Non-text portions of this message have
                                      been removed]

                                      ------------------------------------

                                      Yahoo! Groups Links

                                      [Non-text portions of this message have been removed]

                                      ------------------------------------

                                      Yahoo! Groups Links

                                      [Non-text portions of this message have been removed]




                                      [Non-text portions of this message have been removed]
                                    • suba surianarayanan
                                      Thank you very much, but this too gives the same results and doesn t show tcp connections...   Regards, Suba ________________________________ From:
                                      Message 18 of 19 , Apr 15, 2012
                                        Thank you very much, but this too gives the same results and doesn't show tcp connections...
                                         
                                        Regards,
                                        Suba


                                        ________________________________
                                        From: "depshlomo@..." <depshlomo@...>
                                        To: linux_forensics@yahoogroups.com
                                        Sent: Wednesday, April 11, 2012 7:08 PM
                                        Subject: Re: [linux_forensics] memory dump from vmware

                                        When you put the vm to sleep it creates a vm file for the memory just copy that file

                                        Shlomo
                                        Sent from my Verizon Wireless BlackBerry

                                        -----Original Message-----
                                        From: suba surianarayanan <suba_surianarayanan@...>
                                        Sender: linux_forensics@yahoogroups.com
                                        Date: Wed, 11 Apr 2012 06:34:51
                                        To: linux_forensics@yahoogroups.com<linux_forensics@yahoogroups.com>
                                        Reply-To: linux_forensics@yahoogroups.com
                                        Subject: [linux_forensics] memory dump from vmware

                                        Is there a better way to get the memory dump of a guest OS running on vmware?
                                        Any answers? Please!
                                         
                                        Regards,
                                        Suba

                                        ----- Forwarded Message -----
                                        From: suba surianarayanan <suba_surianarayanan@...>
                                        To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                        Sent: Sunday, April 8, 2012 9:26 AM
                                        Subject: Re: [linux_forensics] Linux - address translation
                                         
                                        I have obtained the snapshots as you said, but the TCP conections on  the Guest OS seem to get terminated while a snapshot is  being taken. Is there a way to get the tcp states preserved in the snapshot?
                                         
                                        Regards,
                                        Suba


                                        ________________________________
                                        From: Simson Garfinkel <simsong@...>
                                        To: linux_forensics@yahoogroups.com
                                        Sent: Friday, January 6, 2012 6:04 AM
                                        Subject: Re: [linux_forensics] Linux - address translation
                                         
                                        Just run on VMWare, suspend, and grab the memory file!

                                        On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                                        > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.

                                        > Or it would even be better if you could send me the steps to create dumps on Linux :-)

                                        > Thanks,
                                        > Suba
                                        >
                                        >
                                        > ________________________________
                                        > From: Simson Garfinkel <simsong@...>
                                        > To: linux_forensics@yahoogroups.com
                                        > Sent: Monday, January 2, 2012 9:41 PM
                                        > Subject: Re: [linux_forensics] Linux - address translation
                                        >
                                        > I am happy to create some.
                                        Please let me know what you would like to see in it.
                                        >
                                        > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                                        >
                                        > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                                        > >
                                        > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                                        > >
                                        > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                                        > >
                                        > > ~Suba
                                        > >
                                        > >
                                        >
                                        > [Non-text portions of this message have been removed]
                                        >
                                        > ------------------------------------
                                        >
                                        > Yahoo! Groups Links
                                        >
                                        > [Non-text portions of this message have been removed]
                                        >
                                        >



                                        [Non-text portions of this message have
                                        been removed]



                                        ------------------------------------

                                        Yahoo! Groups Links




                                        [Non-text portions of this message have been removed]



                                        ------------------------------------

                                        Yahoo! Groups Links



                                        [Non-text portions of this message have been removed]




                                        [Non-text portions of this message have been removed]



                                        ------------------------------------

                                        Yahoo! Groups Links



                                        [Non-text portions of this message have been removed]
                                      • suba surianarayanan
                                        Thank you. I am going through this...   Regards, Suba ________________________________ From: Echo6 To: linux_forensics@yahoogroups.com
                                        Message 19 of 19 , Apr 15, 2012
                                          Thank you. I am going through this...
                                           
                                          Regards,
                                          Suba


                                          ________________________________
                                          From: Echo6 <echo6_uk@...>
                                          To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                          Sent: Thursday, April 12, 2012 2:46 AM
                                          Subject: Re: [linux_forensics] memory dump from vmware

                                          Is this for research purposes?

                                          Take a look at the Red Hat crash driver, more info here http://www.forensicswiki.org/wiki/Tools:Memory_Imaging including a link to Jamie Levy's blog.

                                          Jon.



                                          ________________________________
                                          From: suba surianarayanan <suba_surianarayanan@...>
                                          To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                          Sent: Wednesday, April 11, 2012 2:34 PM
                                          Subject: [linux_forensics] memory dump from vmware


                                           
                                          Is there a better way to get the memory dump of a guest OS running on vmware?
                                          Any answers? Please!
                                           
                                          Regards,
                                          Suba

                                          ----- Forwarded Message -----
                                          From: suba surianarayanan <suba_surianarayanan@...>
                                          To: "linux_forensics@yahoogroups.com" <linux_forensics@yahoogroups.com>
                                          Sent: Sunday, April 8, 2012 9:26 AM
                                          Subject: Re: [linux_forensics] Linux - address translation

                                          I have obtained the snapshots as you said, but the TCP conections on  the Guest OS seem to get terminated while a snapshot is  being taken. Is there a way to get the tcp states preserved in the snapshot?
                                           
                                          Regards,
                                          Suba

                                          ________________________________
                                          From: Simson Garfinkel <simsong@...>
                                          To: linux_forensics@yahoogroups.com
                                          Sent: Friday, January 6, 2012 6:04 AM
                                          Subject: Re: [linux_forensics] Linux - address translation
                                           
                                          Just run on VMWare, suspend, and grab the memory file!

                                          On Jan 5, 2012, at 11:44 AM, suba surianarayanan wrote:

                                          > It would be great if you could provide dumps taken on a system with a running executable and connected to few websites. I would like to see if these are traceable through the process structure.

                                          > Or it would even be better if you could send me the steps to create dumps on Linux :-)

                                          > Thanks,
                                          > Suba
                                          >
                                          >
                                          > ________________________________
                                          > From: Simson Garfinkel <simsong@...>
                                          > To: linux_forensics@yahoogroups.com
                                          > Sent: Monday, January 2, 2012 9:41 PM
                                          > Subject: Re: [linux_forensics] Linux - address translation
                                          >
                                          > I am happy to create some.
                                          Please let me know what you would like to see in it.
                                          >
                                          > On Jan 2, 2012, at 1:29 AM, suba_surianarayanan wrote:
                                          >
                                          > > Are there any Linux memory dump images available for experimantal/research purpose? (Any version of kernel would do.) Images for Windows are available for analysis.
                                          > >
                                          > > Also, is there any material available that explains the virtual address to physical address translation in Linux?
                                          > >
                                          > > I am student wanting to do a project in the field of Linux memory forensics - any help would be greatly appreciated!
                                          > >
                                          > > ~Suba
                                          > >
                                          > >
                                          >
                                          > [Non-text portions of this message have been removed]
                                          >
                                          > ------------------------------------
                                          >
                                          > Yahoo! Groups Links
                                          >
                                          > [Non-text portions of this message have been removed]
                                          >
                                          >

                                          [Non-text portions of this message have
                                          been removed]

                                          ------------------------------------

                                          Yahoo! Groups Links

                                          [Non-text portions of this message have been removed]

                                          ------------------------------------

                                          Yahoo! Groups Links

                                          [Non-text portions of this message have been removed]




                                          [Non-text portions of this message have been removed]



                                          ------------------------------------

                                          Yahoo! Groups Links



                                          [Non-text portions of this message have been removed]
                                        Your message has been successfully submitted and would be delivered to recipients shortly.