Question 1

How do I capture memory with AVML on a live Linux server?

Accepted Answer

Download the static binary and run 'avml output.lime' on the target; AVML auto-detects memory sources. For compression, add '--compress' to reduce file size using Snappy. Always ensure kernel lockdown is disabled for it to work.

Question 2

AVML or LiME: which is better for Linux memory forensics?

Accepted Answer

AVML is more portable as a userland tool without kernel modules, ideal for diverse distributions. LiME requires kernel compilation per target but might be more reliable in some locked-down environments. Choose AVML for ease, LiME for compatibility with specific kernels.

Question 3

How to upload a memory dump to AWS S3 using AVML?

Accepted Answer

First, generate a pre-signed URL with AWS CLI. Then, on the target, run 'avml --put [URL] --delete output.lime' to capture, upload via HTTP PUT, and delete locally upon success. Retry logic handles network issues automatically.

Question 4

Can AVML work on Ubuntu 22.04 or CentOS 8?

Accepted Answer

Yes, AVML is tested on Ubuntu 22.04 and CentOS 8.5, as listed in the README. It should function on these and similar distributions without issues, provided kernel lockdown is not enabled and the system is x86_64.

Question 5

What if AVML fails due to kernel lockdown?

Accepted Answer

AVML cannot acquire memory if kernel lockdown is active. You may need to temporarily disable it via boot parameters if possible, but this compromises security. Alternatively, consider hardware-based acquisition methods or other tools that bypass this restriction.

Question 6

How to decompress an AVML-compressed image for analysis?

Accepted Answer

Use the included 'avml-convert' tool: run 'avml-convert compressed.lime uncompressed.lime' to decompress the Snappy-compressed image back to standard LiME format. This ensures compatibility with forensic analysis software.

AVML

What is AVML?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions