By ro0ted | June 6, 2015 - 16:38 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats dont want u to know: Memory Cloning + BE in Linux
#ro0ted #OpNewblood What the blackhats dont want u to know: Memory Cloning + BE in Linux

Last tutorial we used Bulk Extractor for Windows this will be for Linux. – ro0ted


Open your terminal:

sudo apt-get -y install gcc g++ flex libewf-dev

gunzip bulk_extractor-1.5.5.tar.gz
tar xsvf ‘bulk_extractor-1.5.5.tar’

cd bulk_extractor-1.5.5 wget
gunzip hashdb-2.0.1.tar.gz
tar xsvf ‘hashdb-2.0.1.tar’

cd hashdb-2.0.1
sudo make install

cd bulk_extractor-1.5.5
sudo make install

to run type: bulk_extractor



And if you want a graphical interface instead of commands…
type: BEViewer

From here it’s very simple.
Click Tools>Run bulk_extractor:

This menu box will pop up:

Now don’t worry about the fancy settings we will get into that in another tutorial this is just a linux walk through:

You will need to create a memory dump I suggest using LiME

You can use any img file. For testing purposes if you are using a vm chances are you have this file:
Well you can throw this in Bulk Extractor although initrd isn’t your memory dump however you will get results:

 Okay I will use a simple utility to create a memory dump on a linux platform called Guymager this process is known as “memory cloning”

type: sudo apt-get install guymager
to run type: guymager


Right click acquire image:

Expert Witness Format is the best:

Select your output:


Then wait warning it will take a long time..:
You can also do a RAW Device scan:
Click RAW Device:




After the results are done which takes 3hrs minimum I will post the results. Check out my last tutorial on Bulk Extractor & Memory Dumping for a Windows Based machine here. Next tutorial I will show you how to do a memory dump of your Android. – ro0ted

Please check out my series on, “What the blackhats don’t want you to know” below..#CgAn


Random tutorial in the series: Meet Volatility Frameworks automatic cousin: Volix


(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

Bypassing Registering 101

Bypassing Part 2

Android/iOS Reversing

Introducing IDA Pro: Static Analyzing

Hacker’s Disassembler

Ripping Apart Adware

Never trust Warez or Cracked Programs: Reversing a Crypted IRC bot infected file


Unpacking & Crypting there is a difference

Covert Debugging whitepaper from

Manually Unpacking with Ollydbg

Manually Unpacking Part 2

Manually Unpacking 101

ASM Injecting

ASM Injecting Part 2

ASM Injecting Part 3: Crypt your malicious file

Reversing Trials

Adding Your Menu

ASM Injecting Part 4

ASM Injecting Part 5

Finding Nag Screens & Removing them

REMnux: Linux Toolkit for Reverse-Engineering and Analyzing Malware

REMnux: Volatility Framework ~ Memory Forensics
Volatility Analyzing the ZeuS Bot Part 2
Infected Machine? Create a memory dump
What the gov doesn’t want you to know: All your pastebin data is being LOGGED
Connect to IRC more securely with SSL, add a fingerprint to your nick
Do you have pictures of yourself on the internet? You might of leaked your location of where the pic was taken through EXIF Data
Bulk Extractor: Walk Through for a Windows Platform
Bulk Extractor: Walk Through for Linux platform


(Visited 998 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.