In his master thesis Jorge M. Urrea-Civilian examines data structures of the Linux 2.6 series kernel. He describes how the virtual address space of a process can be reconstructed from a swap file and the physical memory. The thesis might become the foundation of tools to analyze a Linux memory dump.
16/07/2006: "Rossetoecioccolato" commented about that paper in the German section. On page 19 the paper says:
These techniques work in a Windows environment because Windows uses segmentation. However, since Linux does not use segmentation, gathering GDT or LDT data would be of no use to an investigator examining a Linux system.
Rossetoecioccolato states that this is in contrast to the Intel Architecture Overview:
When operating in protected mode, all memory accesses pass through either the global descriptor table (GDT) or the (optional) local descriptor table (LDT). These tables contain entries called segment descriptors.
He also refers to source file arch/i386/kernel/head.S of the Linux kernel.
