AVML (Acquire Volatile Memory for Linux)

AVML is a portable volatile memory acquisition tool designed for Linux systems. It is an X86_64 userland tool, developed in Rust, and is meant to be used as a static binary. AVML allows users to acquire memory without needing prior knowledge of the target operating system distribution or kernel. There is no requirement for on-target compilation or fingerprinting.

Save recorded images to external locations using Azure Blob Store or via HTTP PUT. - Automatic Retry mechanism (in case of network connection issues) with exponential backoff for uploading to Azure Blob Store. - Optional page-level compression utilizing Snappy. - Outputs in LiME format (when compression is not applied). Memory Sources: - /dev/crash - /proc/kcore - /dev/mem If the memory source is not specified on the command line, AVML will automatically check each memory source to identify a functional option. NOTE: If the kernel feature 'kernel_lockdown' is enabled, AVML will be unable to acquire memory. Tested Distributions: - Ubuntu: 12.04, 14.04, 16.04, 18.04, 18.10, 19.04, 19.10, 20.04, 21.04, 22.04 - CentOS: 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 7.0, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.9 - RHEL: 6.7, 6.8, 6.9, 7.0, 7.2, 7.3, 7.4, 7.5, 7.7, 8.5, 9.0 - Debian: 8, 9, 10