# Linux / AVML

Acquire AVML

```
$ wget https://github.com/microsoft/avml/releases/download/v0.2.0/avml
```

Make executable

```
$ chmod +x avml
```

Run AVML

```
$ ./avml
```

Identify kernel profile

```
$ uname -a
Linux syd 4.15.0-106-generic #107-Ubuntu SMP Thu Jun 4 11:27:52 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
```

```
$ cat /etc/*release

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.4 LTS"
NAME="Ubuntu" VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" VERSION_CODENAME=bionic UBUNTU_CODENAME=bionic
```

Acquire memory with AVML (1GB memory took \~2 seconds)

```
$ sudo ./avml /path/to/dump/filename.mem
```

Acquire to remote location

```
$ sudo mount -o user=username -t cifs \\\\remotehost\\folder$ /mnt/point
./avml /mnt/point/memdump.mem
```

If you don't have a kernel profile/overlay for your specific kernel/build, [check out this post](https://www.iblue.team/memory-forensics-1/volatility-plugins/build-custom-linux-profile-for-volatility).