Shared Memory

Overview

Evidence: Shared Memory Description: Collect Shared Memory Category: System Platform: Linux Short Name: sharedme Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

This collector gathers shared memory information from the Linux system. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.

Data Collected

This collector gathers structured data about shared memory.

Shared Memory Data

Field

Description

Example

ID

Primary key (auto-increment)

Key

Shared memory key

0x12345678

Owner

Owner user ID

1000

Permissions

Access permissions

644

Size

Size in bytes

1024000

Creator

Creator process ID

1234

LastAttach

Last attach time

2023-10-15 14:30:25

LastDetach

Last detach time

2023-10-15 14:35:25

LastChange

Last change time

2023-10-15 14:30:25

Status

Status

dest

Collection Method

This collector parses the necessary data from the shared_memory table.

Usage

This evidence is crucial for forensic investigations as it provides shared memory information. It helps investigators understand system activity, detect security incidents, and investigate system-related events. The data can reveal system changes, unauthorized activities, and potential security vulnerabilities. Analysts can use this information to identify system compromises, trace malicious activities, and assess Linux security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousProcess Open Files NextMemory Map

Last updated 14 minutes ago

Was this helpful?