Full DFIR Workflow: Linux Memory Acquisition & Forensic Triage

Kali Linux + LiME + SANS SIFT Workstation

DFIRMemory ForensicsIOC HuntingMalware DiscoveryLog AnalysisEvidence Handling

Overview

This project documents a complete end-to-end Digital Forensics & Incident Response (DFIR) workflow, beginning with live memory acquisition on a Linux system and progressing through forensic triage, malware discovery, log analysis, persistence detection, and structured case packaging.

Objective

Acquire volatile memory safely from a live Linux system
Preserve forensic integrity using cryptographic hashing
Import and analyze the memory dump within a controlled forensic VM
Identify potential indicators of compromise (IOCs)
Detect persistence mechanisms and suspicious system activity
Package evidence in a structured DFIR case folder

Phase 1 — Install LiME

sudo apt update
sudo apt install linux-headers-$(uname -r) build-essential git

cd /tmp
git clone https://github.com/504ensicsLabs/LiME.git
cd LiME/src
make

Phase 2 — Live RAM Acquisition

sudo insmod ./lime-6.16.8+kali-amd64.ko path=/root/memdump.lime format=lime

lsmod | grep lime
ls -lh /root/memdump.lime

sudo rmmod lime
lsmod | grep lime

Phase 3 — Integrity Hashing

sudo -i
cd /root
sha256sum memdump.lime > memdump.lime.sha256
md5sum memdump.lime > memdump.lime.md5
cat memdump.lime.sha256
cat memdump.lime.md5

Phase 4 — Forensic Environment Setup (SANS SIFT)

SIFT Workstation imported into VirtualBox as the primary analysis environment. Memory dump transferred via shared folders to maintain isolation.

Phase 5 — Memory Analysis and Triage

Bulk Extractor

bulk_extractor -o ~/bulk-output /media/your_username/memdump2.lime

Strings + Grep (IOC Hunting)

strings /media/your_username/memdump2.lime | grep -i ssh
strings /media/your_username/memdump2.lime | grep -i passwd
strings /media/your_username/memdump2.lime | grep -i http
strings /media/your_username/memdump2.lime | grep -i .exe

Foremost (File Carving)

mkdir ~/foremost-out
foremost -i /media/your_username/memdump2.lime -o ~/foremost-out

file 94243319.exe
exiftool 94243319.exe
strings -a 94243319.exe | less

YARA (Pattern Detection)

yara -s wide_scan.yara /media/your_username/memdump2.lime
yara -s ~/http_creds.yara ~/foremost-out/exe/

Phase 6 — Linux Log Collection

sudo mkdir -p /root/dfir

sudo journalctl -u systemd-logind | sudo tee /root/dfir/logins.log
sudo journalctl -t sshd | sudo tee /root/dfir/ssh-auth.log
sudo journalctl _COMM=sudo | sudo tee /root/dfir/sudo.log
sudo journalctl | grep -Ei "failed|pam|invalid" | sudo tee /root/dfir/auth-failures.log

Phase 7 — Log Analysis and Intrusion Detection

grep "Failed password" /root/dfir/ssh-auth.log

grep "Failed password" /root/dfir/ssh-auth.log | \
awk '{for(i=1;i<=NF;i++) if($i=="from") print $(i+1)}' | \
sort | uniq -c | sort -nr

grep "Accepted" /root/dfir/ssh-auth.log
grep "COMMAND=" /root/dfir/sudo.log

Phase 8 — Persistence and Malware Discovery

sudo ls -al /var/spool/cron/
sudo crontab -l

sudo systemctl list-units --type=service
sudo systemctl list-unit-files --type=service

ps aux | grep -E "nc|curl|wget|python|perl"
sudo ss -tulpn

sudo cat /etc/rc.local
sudo cat ~/.ssh/authorized_keys
sudo cat /root/.ssh/authorized_keys

Phase 9 — Case Packaging

mkdir ~/DFIR-CASE
cp -r /root/dfir/ ~/DFIR-CASE/
cp /root/memdump.lime ~/DFIR-CASE/

cd ~
zip -r DFIR-CASE.zip DFIR-CASE/