Studying memory with the Volatility memory dump analyzer
Debugging Profiles and Dwarf Standards
A profile for debugging comprises two files: system.map<kernel version>
and modules.dwarf
. Although the former usually exists in the /boot
directory, you need to create the latter yourself. To do so, use the dwarfdump
program from the usual popular repositories.
For more information about the Dwarf debugging file format or the Dwarf debugging standard (Dwarfstd) and specifications, check out the Dwarf website [11].
The volatility/tools/linux
directory contains all the files you need to create a modules.dwarf
. A call to make in this directory generates the file; you now need to compress this with zip along with the system map for the current system:
zip Ubuntu1304_3_8_0_26.zip modules.dwarf/boot/System.map-3.8.0-26-generic
The name of the ZIP file does not matter here, but an intuitive name will help later when you need to select the profile. For Volatility to recognize the ZIP file in the profile selection, you need to copy it to volatility/plugins/overlays/linux
. Then ./vol.py --info | grep Linux
should immediately show you the desired, newly created profile.
Dumps
The infected memory dump used here is from the Honeynet 2001 Project [12]. The image itself is also available as a download and goes by the name victoria-v8.memdump.img.zip
. The probability of such an image working easily on a lab machine with Volatility's kernel modules is very low when you consider the described requirements. For this reason, the following example analyzes the image to obtain more information about the kernel it uses (Listing 3) and discovers the fairly ancient Debian kernel 2.6.26-2.
Listing 3
Two Strings in Use
The next task is to install a virtual Debian with kernel 2.6.26-2-686 to create a profile file with the steps described above.
Testing
To determine whether everything is working properly, you can run a simple command that provides information on the installed CPU of the compromised system
vol.py -f victoria-v8.memdump.img --profile LinuxDebian5_26x86 linux_cpuinfo
(Listing 4). Given that this information comes from the memory dump of a system for which we have neither the hardware nor the hard drive, this is quite a remarkable result. The -f
parameter passes the name of the memory dump into Volatility, --profile LinuxDebian5_26x86
sets the appropriate profile file, and linux_cpuinfo
is the actual command.
Listing 4
vol.py --profile
To simplify the somewhat lengthy command line for future work, Volatility lets you export variables:
export VOLATILITY_PROFILE=LinuxDebian5_26x86 export VOLATILITY_LOCATION=file:///tmp/victoria-v8.memdump.img
This keeps the command line clear-cut and short: ./vol.py linux_cpuinfo
. All Linux-specific commands begin with linux_
; grep
commands provide further insights via pipes (Figure 1). Listing 5 provides a selection of the most interesting commands, from mounts and network commands to open ports and the Bash history.
Listing 5
vol.py Commands
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.