Treasure and tragedy in kmem-cache mining for live forensics investigation

Citations of this article
Mendeley users who have this article in their library.


This paper presents the first deep investigation of the kmem-cache facility in Linux from a forensics perspective. The kmem-cache is used by the Linux kernel to quickly allocate and deallocate kernel structures associated with processes, files, and the network stack. Our focus is on deallocated information that remains in the cache and the major contribution of this paper is to illustrate what forensically relevant information can be retrieved from the kmem-cache and what information is definitively not retrievable. We show that the kmem-cache contains a wealth of digital evidence, much of which was either previously unavailable or difficult to obtain, requiring ad hoc methods for extraction. Previously executed processes, memory mappings, sent and received network packets, NAT translations, accessed file system inodes, and more can all be recovered through examination of the kmem-cache contents. We also discuss portable methods for erasing this information, to ensure that private data is no longer recoverable. © 2010 Digital Forensic Research Workshop. Published by Elsevier Ltd. All rights reserved.




Case, A., Marziale, L., Neckar, C., & Richard, G. G. (2010). Treasure and tragedy in kmem-cache mining for live forensics investigation. In DFRWS 2010 Annual Conference (Vol. 7). Digital Forensic Research Workshop.

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free