Trail of Bits Blog
Follow
mquire: Linux memory forensics without external dependencies
mquire is a new open-source tool designed to perform Linux memory forensics without relying on external debug symbols. It extracts necessary information directly from the memory dump itself, eliminating the need for matching kernel versions. This allows analysis of unknown kernels and custom builds, a significant advantage for incident responders. The tool utilizes BTF type information and Kallsyms symbol addresses found within the memory dump. mquire provides an interactive SQL interface, inspired by osquery, for easy data exploration. Users can execute one-off queries or explore interactively, retrieving information like running processes and open files. Current capabilities include accessing system version, tasks, open files, memory mappings, and more. mquire also offers a ".dump" command to extract files from the kernel's file cache, even if deleted. Use cases include incident response, forensic analysis, malware analysis, and security research. Limitations include inaccessibility to user-space data and dependencies on Kallsyms format. Future development includes expanded table support, improved caching, and DMA-based acquisition. mquire is available on GitHub with prebuilt binaries for Linux. The article encourages users to try mquire and provide feedback.
