mquire: Open-Source Memory Forensics for Linux

Memory forensics on Linux systems has traditionally faced a significant hurdle: the reliance on specific kernel debug symbols. These symbols are rarely present on production machines, and finding matching versions in external repositories is often a frustrating and fruitless task during incident response. The open-source tool mquire, developed by Trail of Bits, fundamentally changes this dynamic by enabling analysis of Linux memory dumps without any external debug information. It achieves this by leveraging data already embedded within modern Linux kernels.

The tool works by extracting two key sources of information directly from a memory capture. The first is BPF Type Format (BTF), a compact metadata format that describes the layout of kernel data structures, including field offsets and type relationships. The second is Kallsyms, the kernel’s internal symbol table that maps function and variable names to their memory addresses. mquire scans the dump to locate the Kallsyms data and then uses the BTF information to correctly interpret and parse the kernel’s internal data structures. This approach requires a kernel version of 4.18 or newer with BTF enabled, a common default in major distributions, and Kallsyms support for kernels 6.4 and above due to format changes.

Once a memory dump is loaded, mquire presents an interactive SQL interface, a design inspired by the popular osquery framework. This allows analysts to explore system state using familiar relational queries. Investigators can run one-off commands or work in an interactive session, joining data across different system areas. A single SQL statement can, for instance, correlate running processes with their open network connections, map processes to their loaded binaries, or reconstruct full file paths from kernel objects.

The available queryable tables provide broad visibility into system state at the time of the capture. These include running processes with details like PIDs and command lines, open files organized by process, memory mappings, active network connections and interface details, loaded kernel modules, kernel log messages, and system logs read from the kernel’s file cache.

Beyond querying, mquire offers practical forensic recovery capabilities. Its .dump command can recover file contents directly from the kernel’s page cache, writing them to disk. This is particularly valuable for retrieving files that have been deleted from the storage drive but still reside in memory. A separate .carve command allows for extracting raw data from specific virtual address ranges.

The tool also aids in rootkit detection through its support for multiple process enumeration techniques. One method walks the kernel’s official task list, while another enumerates processes via the PID namespace. Sophisticated malware may hide a process by removing it from the primary task list. By comparing the results from these two different enumeration strategies, analysts can identify discrepancies and uncover processes attempting to remain hidden.

It is important to understand the scope and current limitations of the tool. mquire operates at the kernel level; because BTF does not describe user-space structures, analysis of application memory is not supported. Furthermore, the Kallsyms scanner is built for a specific kernel data format, meaning future kernel changes could necessitate updates to the tool’s heuristics. The developers have indicated a roadmap that includes expanding table support, improving performance through caching, and adding capabilities for direct memory access (DMA) acquisition from physical systems.

The mquire project is publicly available on GitHub, offering a powerful new methodology for Linux memory analysis that bypasses the longstanding dependency on elusive debug symbols.

(Source: HelpNet Security)