Source: Help Net Security
Author: Anamarija Pogorelec
URL: https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/
mquire: Open-source Linux memory forensics tool
ONE SENTENCE SUMMARY:
Trail of Bits’ mquire enables Linux kernel memory forensics without external symbols using BTF, Kallsyms, and SQL-based querying.
MAIN POINTS:
- Traditional Linux memory forensics relies on exact kernel debug symbols that often aren’t available.
- mquire analyzes memory dumps without needing external debug repositories or symbol packages.
- BTF provides compact kernel type layouts, offsets, and relationships for structure parsing.
- Kallsyms addresses are located by scanning dumps, mirroring live /proc/kallsyms functionality.
- BTF requires Linux kernel 4.18+ with BTF enabled, common in major distributions.
- Kallsyms support requires kernel 6.4+ due to scripts/kallsyms.c format changes.
- An interactive SQL interface, inspired by osquery, enables intuitive forensic exploration.
- Queries can join processes, open files, dentries, and network connections for correlated analysis.
- Page-cache extraction recovers open or deleted files via .dump, plus raw carving with .carve.
- Hidden process detection compares task-list enumeration against PID namespace enumeration strategies.
TAKEAWAYS:
- Eliminating external debug symbols reduces failure modes during time-sensitive incident response.
- BTF+Kallsyms lets analysts reconstruct kernel structures directly from the dump.
- SQL makes complex cross-artifact correlations approachable and repeatable in investigations.
- Page-cache recovery can retrieve valuable evidence even after on-disk deletion.
- Kernel-only scope limits user-space visibility, and future Kallsyms changes may require tool updates.