Shared Memory

Overview

Evidence: Shared Memory Description: Collect shared memory Category: Memory Platform: Linux Short Name: sharedm Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers shared memory information from the Linux system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.

Data Collected

This collector gathers structured data about shared memory.

Shared Memory Data

Field

Description

Example

ID

ProcessId

Process Id

Example value

OwnerUserId

Owner User Id

Example value

CreatorProcessId

Creator Process Id

Example value

CreatorUserId

Creator User Id

Example value

Attached

Attached

Example value

Locked

Locked

Example value

Permissions

Permissions

Example value

ShmId

Shm Id

Example value

Size

Size

1024

Status

Status

Example value

AccessTime

Access Time

2023-10-15 14:30:25

DetachedTime

Detached Time

2023-10-15 14:30:25

CreatorTime

Creator Time

2023-10-15 14:30:25

Collection Method

This collector enumerates System V shared memory segments and records them into the shared_memory table.

Usage

This evidence is crucial for forensic investigations as it provides shared memory usage details that can indicate inter-process communication, potential covert channels, or malware persistence.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousProcess Open Files NextMemory Map

Last updated 1 day ago

Was this helpful?