Second Look Banner

Second Look: Linux Memory Forensics for Incident Response and Intrusion Detection

Second Look combines memory forensics and integrity verification to provide unparalleled assurance that the software running on Linux servers and workstations, from the kernel to system services and applications, is of known origin and has not been modified. There is no more powerful tool for uncovering malware, backdoors, unauthorized processes, and other signs of compromise on Linux systems.

As featured in the Malware Forensics Field Guide for Linux Systems.
Click here for highlights

Sample Linux Memory Images

We make these sample Linux memory images freely available in the hope they may be useful for research, training, testing, or other purposes. Memory images not only preserve the volatile state of the target system at the time the image was created, but also provide a superb opportunity for detection and analysis of malware on the target system. We encourage you to use these memory images for the following purposes, among others:

We also invite you to learn about the value of Second Look for Linux incident response and intrusion detection. Every one of the pieces of malware in the sample memory images below was automatically detected by Second Look‐without us having any a priori knowledge of it.

Each of the files below is a raw physical memory image, compressed with bzip2. Several different memory acquisition techniques were used to create these memory images, as described under each file. For each infected memory image, there is a clean image from the same system for purposes of comparison. If you have any feedback on our sample memory images, or questions about Linux memory forensics, please drop us a line via the contact form. Thanks!

File Size SHA-256 Hash Date Added
ubuntu-8.04.4-amd64-LUKS.mem.bz2 64956559 (64MB) 41589ae2a4cdb9c0081fe6439f281354 0a3791d68a92c50efe28b6ac54d35efd 2013-06-18
Target OS: Ubuntu 8.04.4 64-bit
Target RAM: 512MB
Target Type: VirtualBox VM
Acquisition Technique: VirtualBox dumpguestcore command
Infected? No
ubuntu-8.04.4-LUKS.raw 3221225472 (3GB) a9b8bd31a1b1520218c12baf77289384 bbd3dc6bdd1e58105ff42a2d8170eabd 2013-06-18
This is a disk image, containing an encrypted volume, to accompany the above memory image. Read here about recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes with Second Look.
Raw Disk Image Size: 3GB
Partitions:
                 Device Boot      Start         End      Blocks   Id  System
ubuntu-8.04.4-LUKS.raw1   *          63      498014      248976   83  Linux
ubuntu-8.04.4-LUKS.raw2          498015     6281414     2891700    5  Extended
ubuntu-8.04.4-LUKS.raw5          498078     6281414     2891668+  83  Linux
centos-6-x86_64-LUKS.mem.bz2 56649852 (55MB) 51e54e14c6542473ebfafc5660fd974a 521bbbf7fccc9caed9ebcf84eab5845b 2013-06-18
Target OS: CentOS 6 64-bit
Target RAM: 1GB
Target Type: VirtualBox VM
Acquisition Technique: VirtualBox dumpguestcore command
Infected? No
centos-6-LUKS.raw.bz2 757410443 (723MB) 0cf5708673121eac521a6fd1bb30003c c6c2e62a75a73a2ae1e4c890260132d3 2013-06-18
This is a disk image, containing an encrypted volume, to accompany the above memory image. Read here about recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes with Second Look.
Raw Disk Image Size: 4GB
Partitions:
            Device Boot      Start         End      Blocks   Id  System
centos-6-LUKS.raw1   *        2048     1026047      512000   83  Linux
centos-6-LUKS.raw2         1026048     8388607     3681280   83  Linux
ubuntu-13.04-amd64-LUKS.mem.bz2 113023462 (108MB) be13f305316e1d9f97d5d2558e4becf1 a0428cca486e07b231b4ff09ab2b7a69 2013-06-18
Target OS: Ubuntu 13.04 64-bit
Target RAM: 512MB
Target Type: VirtualBox VM
Acquisition Technique: VirtualBox dumpguestcore command
Infected? No
ubuntu-13.04-LUKS.raw 5905580032 (5.5GB) eb6ce70f59b841bcefb833085faec354 8a72ea138eb752c8ca48e79540897a1d 2013-06-18
This is a disk image, containing an encrypted volume, to accompany the above memory image. Read here about recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes with Second Look.
Raw Disk Image Size: 5.5GB
Partitions:
                Device Boot      Start         End      Blocks   Id  System
ubuntu-13.04-LUKS.raw1   *        2048      499711      248832   83  Linux
ubuntu-13.04-LUKS.raw2          501758    11532287     5515265    5  Extended
ubuntu-13.04-LUKS.raw5          501760    11532287     5515264   83  Linux
fedora-18-x86_64-LUKS.mem.bz2 173677273 (166MB) 198a58e236b43a3941f6f6a4f222ca81 4f53bd9e8fcf6ea5b180c607b8a59867 2013-06-18
Target OS: Fedora 18 64-bit
Target RAM: 768MB
Target Type: VirtualBox VM
Acquisition Technique: VirtualBox dumpguestcore command
Infected? No
fedora-18-LUKS.raw 6174015488 (5.8GB) c66f106f9b9fc70a172e80c16b011308 a7321c9c786c2df6b279d04a83f4ca84 2013-06-18
This is a disk image, containing an encrypted volume, to accompany the above memory image. Read here about recovery of device mapper crypto keys for LUKS, TrueCrypt, and other full disk encryption schemes with Second Look.
Raw Disk Image Size: 5.8GB
Partitions:
             Device Boot      Start         End      Blocks   Id  System
fedora-18-LUKS.raw1   *        2048     1026047      512000   83  Linux
fedora-18-LUKS.raw2         1026048    12058623     5516288   83  Linux
fedora-17-x86_64-clean.mem.bz2 272612207 (260MB) f748b4a42bb160a5e74b2fe996a009b2 681dcbf7b31892c7bb340d38b4aca6f1 2012-09-17
Target OS: Fedora 17 64-bit
Target RAM: 1GB
Target Type: VMware Workstation VM
Acquisition Technique: VMware snapshot (.vmem file)
Infected? No
fedora-17-x86_64-modspm.mem.bz2 268864993 (257MB) ee4af2f6e7ac1aa096beccd538b61c69 e665f0c71d15b9b13f252119bd48d3cb 2012-09-17
Target OS: Fedora 17 64-bit
Target RAM: 1GB
Target Type: VMware Workstation VM
Acquisition Technique: VMware snapshot (.vmem file)
Infected? Yes, with an iframe-injecting Apache module
centos-6.3-x86_64-LiveDVD-clean.mem.bz2 527746186 (504MB) 1fa0315634f80fa0c4e8f0804bf7e720 79a105a9da423bca1c4f3de6435ef761 2012-08-08
Target OS: CentOS 6.3 64-bit (LiveDVD)
Target RAM: 2GB
Target Type: Dell Vostro 1510 laptop
Acquisition Technique: Firewire DMA using Inception
Infected? No
centos-6.3-x86_64-LiveDVD-avgcoder.mem.bz2 539705684 (515MB) 8ad3de6666b9ca77711dae2c4e0a2cb6 656b379c1b3928cb0e68647a66f22ca2 2012-08-08
Target OS: CentOS 6.3 64-bit (LiveDVD)
Target RAM: 2GB
Target Type: Dell Vostro 1510 laptop
Acquisition Technique: Firewire DMA using Inception
Infected? Yes, with Average Coder's kernel rootkit
ubuntu-12.04-amd64-clean.mem.bz2 267615218 (256MB) 5ae0952d55f9ad2cb98e665001c54b42 f7a6afa37809411463f5da352ba4ec46 2012-05-04
Target OS: Ubuntu 12.04 Desktop 64-bit
Target RAM: 1GB
Target Type: VMware Workstation VM
Acquisition Technique: VMware snapshot (.vmem file)
Infected? No
ubuntu-12.04-amd64-jynxkit.mem.bz2 179151893 (171MB) 353d88b8688fb4eb587aea28c1c35267 f0b44e3e46077270dcc5e3ddc450dd30 2012-05-04
Target OS: Ubuntu 12.04 Desktop 64-bit
Target RAM: 1GB
Target Type: VMware Workstation VM
Acquisition Technique: VMware snapshot (.vmem file)
Infected? Yes, with the jynxkit shared library rootkit
centos-5.6-i386-LiveCD-clean.mem.bz2 762187319 (727MB) 3200846938fef618cde3f8e86f3b1a89 63c74a166ba3dfa5398373e0abf230fc 2012-04-30
Target OS: CentOS 5.6 32-bit (LiveCD)
Target RAM: 2GB
Target Type: VirtualBox VM
Acqusition Technique: VirtualBox dumpguestcore command
Infected? No
centos-5.6-i386-LiveCD-kbeast.mem.bz2 708253476 (676MB) c928c0990e28d92b08a25449dc21e639 c70856c87cb75824b20fd9129b4d38a8 2012-04-30
Target OS: CentOS 5.6 32-bit (LiveCD)
Target RAM: 2GB
Target Type: VirtualBox VM
Acqusition Technique: VirtualBox dumpguestcore command
Infected? Yes, with the kbeast kernel rootkit
ubuntu-10.04.3-i386-LiveCD-clean.mem.bz2 471585776 (450MB) 257601040198a87bf7ea355cf1d97595 6fd05fb767a77fc8df2027e9a07886d8 2012-04-30
Target OS: Ubuntu 10.04.3 Desktop 32-bit (LiveCD)
Target RAM: 1GB
Target Type: VirtualBox VM
Acqusition Technique: VirtualBox dumpguestcore command
Infected? No
ubuntu-10.04.3-i386-LiveCD-kbeast.mem.bz2 492441736 (470MB) ae390d6782438420ef1a16e6d8911b8f 0ec3039e236cf87d80f47b6ae1db74fe 2012-04-30
Target OS: Ubuntu 10.04.3 Desktop 32-bit (LiveCD)
Target RAM: 1GB
Target Type: VirtualBox VM
Acqusition Technique: VirtualBox dumpguestcore command
Infected? Yes, with the kbeast kernel rootkit