Report: In-Memory Files
An in-memory file is a memory-mapped file. Common examples are program executables and shared objects. Some programs open their data files in this manner as well.
Report Data: In-Memory Files
Following are the in-memory files at the time the memory snapshot was taken of the centos 6 - 2.6.32-696.28.1.el6.x86_64 image from the samples gallery (requires authentication).
The following table describes each column of the reported data.
Column | Description | Notes |
---|---|---|
Pid | PID of the process whose address space contains the mapped file | |
Path | Source path of the in-memory file |
Forensic Hints
Patterns to look for: shared objects loaded into processes from nonstandard locations (/tmp or /home).
The same set of in-memory files can be obtained from a running Linux
system via the lsof
command (with appropriate filtering); any difference
between the set (a) read from usermode and (b) derived from memory inspection should be
investigated, as discussed here.