Mquire: Open-Source Linux Memory Forensics Tool

mquire draws on two data sources embedded in Linux kernels. The first is BPF Type Format (BTF), a compact format that describes kernel data structure layouts. BTF was designed for eBPF’s compile-once, run-everywhere architecture and carries type definitions, field offsets, and type relationships. The second source is Kallsyms, the same symbol address data that appears at /proc/kallsyms on a live system. mquire scans the memory dump to locate Kallsyms data, then combines it with BTF type information to find and parse kernel data structures.

After loading a dump, mquire exposes an interactive SQL interface. The design draws directly from osquery, the system instrumentation tool that lets analysts query operating system state using SQL. Alessandro Gario, the tool’s primary author, wrote: “This is something I’ve wanted to build ever since my first Querycon, where I discussed forensics capabilities with other osquery maintainers. The idea of bringing osquery’s intuitive, SQL-based exploration model to memory forensics has been on my mind for years, and mquire is the realization of that vision.”

Linux memory forensics has long depended on debug symbols tied to specific kernel versions. These symbols are not installed on production systems by default, and sourcing them from external repositories creates a recurring problem: repositories go stale, kernel builds diverge, and analysts working incident response often find no published symbols for the exact kernel they need to examine.

Trail of Bits published mquire to address this constraint. The open-source tool analyzes Linux memory dumps without requiring any external debug information.