Once we have created our Linux memory dump, using a tool such as fmem or LiME, we can start to analyze that memory dump using a tool like the Volatility framework. On their website, Volatility describes some of the steps that are necessary in order to do analysis of Linux memory dumps.
Per Volatility's website, "A Linux Profile is essentially a zip file with information on the kernel's data structures and debug symbols. This is what Volatility uses to locate critical information and how to parse it once found. In the near future, Volatility will include profiles for the most common Linux kernels. Until then, you'll need to create your own profile. " Thus, the first thing that must be done is to create a profile of the system from which the memory dump was taken. This will require that some commands, and possibly some tools be run on the system under examination, so be sure to document your actions because you will likely forensically alter the system.
The following steps need to be conducted on the system being examined:
- Install dwarfdump. For Ubuntu-based systems, this can be done by typing apt-get install dwarfdump
- Copy the tools/linux subfolder from within the volatility tarball up to the system being examined.
- Build the module.dwarf file by typing make within the tools/linux folder that you copied in step 2. This should create a file named module.dwarf in the same folder.
- Copy the System.map file for the system under investigation into the same folder where the module.dwarf file is located.
- Create a zip file containing the module.dwarf file and the System.map file: zip LinuxMint13.zip module.dwarf System.map
- Copy this zip file off to your examination workstation, along with the memory dump. This zip file is the profile for your system that contains the information about the kernel data structures and symbols. Volatility will use it to parse out and interpret the memory dump that you previously created.
Once the above steps have been completed, we can begin to use the newly-created profile with Volatility to parse out our memory image. To do so, we must specify the profile on the command line. To test this out, we will first issue the --info command to Volatility:
python vol.py --plugins=tools/linux --info
Volatility Foundation Volatility Framework 2.3.1
Profiles
--------
LinuxMint13x64x64 - A Profile for Linux Mint13x64 x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
[output truncated]
We should see that the profile that we just created is now in the list of profiles that Volatility can use, as shown in the output above. Note that the path after the --plugins command-line option will be wherever you have saved your .zip file for the profile that you created above. We can now use this profile to parse out our memory dump:
python vol.py --plugins=tools/linux --profile=LinuxMint13x64x64 linux_pslist -f ~/tmp/mem.lime
Volatility Foundation Volatility Framework 2.3.1
Offset Name Pid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
0xffff880230808000 init 1 0 0 0x000000022cf3d000 2013-12-18 14:08:32 UTC+0000
0xffff8802308096f0 kthreadd 2 0 0 ------------------ 2013-12-18 14:08:32 UTC+0000
0xffff88023080ade0 ksoftirqd/0 3 0 0 ------------------ 2013-12-18 14:08:32 UTC+0000
0xffff880230830000 migration/0 6 0 0 ------------------ 2013-12-18 14:08:32 UTC+0000
[output truncated]
And there you have it - you can now use all of Volatility's modules to extract information of interest from the memory image you took from your Linux system.
When we copy the .zip file to the examining computer, which folder do we put it in? I am getting an exception that says "Object LinuxLimeMEx64 has already been defined", and I believe this is the issue, since I followed your instructions exactly.
ReplyDeleteThanks for the useful information. Very informative.If you want to learn Linux course in online, please visit below site.
ReplyDeleteLinux Online Training
linux online course