How to separate free/unallocated pages from memory dump?

[JohCn]

Hi,

I am looking to extract all free/unallocated pages from the memory dump taken from a Linux system. How to do this with Volatility?

My goal is to attempt recovery of deleted file fragments in free pages. I would appreciate any useful inputs in this regard.

Thanks!

[atcuno]

Hey,

There is not currently a plugin that does this, but you could make a new one that covered it.

The strings plugin is able to map physical addresses to their owning context, and for pages not owned by a process, it reports them as "FREE MEMORY":

https://github.com/volatilityfoundation/volatility/blob/703b29be247c17f63c844590102495c19826ccec/volatility/plugins/strings.py#L223

You could develop a smarter version of this that attempts to reverse lookup every offset in a capture to see if it is mapped or not.

A few warnings though:

• The kernel will/may keep pages mapped in its address space that hold previously mapped file data. The strings approach would miss these.

• Carving across physical memory is generally unsuccessful as the operating system makes no effort to map file contents into contiguous physical pages, unlike file system drivers, which purposely lay out file data sequential.