mquire: Open-source Linux memory forensics tool

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/

mquire: Open-source Linux memory forensics tool

ONE SENTENCE SUMMARY:

Trail of Bits’ mquire enables Linux kernel memory forensics without external symbols using BTF, Kallsyms, and SQL-based querying.

MAIN POINTS:

  1. Traditional Linux memory forensics relies on exact kernel debug symbols that often aren’t available.
  2. mquire analyzes memory dumps without needing external debug repositories or symbol packages.
  3. BTF provides compact kernel type layouts, offsets, and relationships for structure parsing.
  4. Kallsyms addresses are located by scanning dumps, mirroring live /proc/kallsyms functionality.
  5. BTF requires Linux kernel 4.18+ with BTF enabled, common in major distributions.
  6. Kallsyms support requires kernel 6.4+ due to scripts/kallsyms.c format changes.
  7. An interactive SQL interface, inspired by osquery, enables intuitive forensic exploration.
  8. Queries can join processes, open files, dentries, and network connections for correlated analysis.
  9. Page-cache extraction recovers open or deleted files via .dump, plus raw carving with .carve.
  10. Hidden process detection compares task-list enumeration against PID namespace enumeration strategies.

TAKEAWAYS:

  1. Eliminating external debug symbols reduces failure modes during time-sensitive incident response.
  2. BTF+Kallsyms lets analysts reconstruct kernel structures directly from the dump.
  3. SQL makes complex cross-artifact correlations approachable and repeatable in investigations.
  4. Page-cache recovery can retrieve valuable evidence even after on-disk deletion.
  5. Kernel-only scope limits user-space visibility, and future Kallsyms changes may require tool updates.