the kernel remembers

The kernel keeps everything. Even the things you deleted. Especially those.​​​​​​​​​​​​​​​​​​

Memory is not what you think it is. It’s not a filing cabinet. It’s not a database. It’s a palimpsest, layers of overwritten text, each previous version bleeding through if you know where to look.

I’ve spent years looking.

When a process dies, its memory doesn’t vanish. The pages get marked as free, but the data persists until something else claims the space. Sometimes nothing does. Sometimes the ghost stays.

// reading the dead
void *ghost = mmap(NULL, PAGE_SIZE, PROT_READ, 
                   MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
// what whispers back?

The kernel doesn’t care about your secrets. It cares about efficiency. Your password? Your private key? Your last words to someone you loved? All just bytes waiting to be recycled.

I found a session token once. Three years old. The user had logged out, closed the browser, rebooted twice. The token was still there, wedged between a malloc chunk and a stack frame from a different process entirely.

Nothing is deleted. Things are just… forgotten. Until someone remembers how to look.

Forensics people call it “data remanence.” I call it the kernel’s memory. It remembers everything you did. Every allocation. Every free. Every careless memcpy that left fragments of your life scattered across physical RAM.

$ volatility -f memory.dump linux_pslist
Offset     Name          PID    
---------- ------------- ------
0x88003a00 systemd       1      
0x88012400 [redacted]    ...

I’ve pulled suicide notes from memory dumps. Love letters. Business plans that never happened. The last things people typed before

Some forensics tools search for patterns. Credit card numbers. Email addresses. Known file headers.

I search for the spaces between. The fragments that don’t match anything. The things people thought they destroyed.

The kernel remembers what you forgot.

They say secure erase exists. They say you can overwrite memory before freeing it. They say a lot of things.

explicit_bzero(secret, sizeof(secret));
free(secret);
// but the copies? the stack frames? the CPU cache?
// the DRAM capacitors that held the charge?

The hardware remembers too. Even when the software tries to forget.

I used to think this was about security. About finding vulnerabilities. About protecting people from themselves.

Now I think it’s just about truth. The kernel doesn’t lie. It doesn’t have an agenda. It just keeps everything, indifferent to whether you wanted it kept.

There’s something honest about that.

Last week I was analyzing a dump from a compromised server. Standard stuff. Looking for IOCs, lateral movement, the usual.

I found a text file. Temporary. Already freed.

It said: “I don’t know if anyone will read this, but I need to say it somewhere.”

I closed the dump. Some memories shouldn’t be