Studying memory with the Volatility memory dump analyzer
Debugging Profiles and Dwarf Standards
A profile for debugging comprises two files: system.map<kernel version>
and modules.dwarf
. Although the former usually exists in the /boot
directory, you need to create the latter yourself. To do so, use the dwarfdump
program from the usual popular repositories.
For more information about the Dwarf debugging file format or the Dwarf debugging standard (Dwarfstd) and specifications, check out the Dwarf website [11].
The volatility/tools/linux
directory contains all the files you need to create a modules.dwarf
. A call to make in this directory generates the file; you now need to compress this with zip along with the system map for the current system:
zip Ubuntu1304_3_8_0_26.zip modules.dwarf/boot/System.map-3.8.0-26-generic
The name of the ZIP file does not matter here, but an intuitive name will help later when you need to select the profile. For Volatility to recognize the ZIP file in the profile selection, you need to copy it to volatility/plugins/overlays/linux
. Then ./vol.py --info | grep Linux
should immediately show you the desired, newly created profile.
Dumps
The infected memory dump used here is from the Honeynet 2001 Project [12]. The image itself is also available as a download and goes by the name victoria-v8.memdump.img.zip
. The probability of such an image working easily on a lab machine with Volatility's kernel modules is very low when you consider the described requirements. For this reason, the following example analyzes the image to obtain more information about the kernel it uses (Listing 3) and discovers the fairly ancient Debian kernel 2.6.26-2.
Listing 3
Two Strings in Use
The next task is to install a virtual Debian with kernel 2.6.26-2-686 to create a profile file with the steps described above.
Testing
To determine whether everything is working properly, you can run a simple command that provides information on the installed CPU of the compromised system
vol.py -f victoria-v8.memdump.img --profile LinuxDebian5_26x86 linux_cpuinfo
(Listing 4). Given that this information comes from the memory dump of a system for which we have neither the hardware nor the hard drive, this is quite a remarkable result. The -f
parameter passes the name of the memory dump into Volatility, --profile LinuxDebian5_26x86
sets the appropriate profile file, and linux_cpuinfo
is the actual command.
Listing 4
vol.py --profile
To simplify the somewhat lengthy command line for future work, Volatility lets you export variables:
export VOLATILITY_PROFILE=LinuxDebian5_26x86 export VOLATILITY_LOCATION=file:///tmp/victoria-v8.memdump.img
This keeps the command line clear-cut and short: ./vol.py linux_cpuinfo
. All Linux-specific commands begin with linux_
; grep
commands provide further insights via pipes (Figure 1). Listing 5 provides a selection of the most interesting commands, from mounts and network commands to open ports and the Bash history.
Listing 5
vol.py Commands
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.