Memory Forensics of OpenSSH

Cal Leeming [Simplicity Media Ltd] cal.leeming at
Mon May 5 06:49:23 EST 2014

Although I cannot speak with any authority on the data structures of SSH, I
can at least point you in the right direction on tools already available.

Looks like someone also wrote a tool already to do SSH key extraction from

Have a look at volatility framework;

Also these;

Hope this helps


On Sun, May 4, 2014 at 9:37 PM, Fengwei Zhang <namedylan at> wrote:

> Hello List,
> One of my project needs memory forensics of OpenSSH. Here is a brief
> description of the problem:
> I have a raw memory dump, and all of the kernel data structures (e.g.,
> task_struct, mm_struct) have been figured out. Now, I want to retrieve the
> data structures (e.g., struct session_state) of an SSH process instance.
> Finding a session key (active_state->newkeys) could be an example.  In
> order to find these information, I think I need a starting point (i.e.,
> memory address) of the OpenSSH data structures.
> Does anyone know how to tackle this problem? Any comments and suggestions
> are much appreciated.
> Thanks,
> Fengwei
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list