Studying memory with the Volatility memory dump analyzer

Debugging Profiles and Dwarf Standards

A profile for debugging comprises two files: system.map<kernel version> and modules.dwarf. Although the former usually exists in the /boot directory, you need to create the latter yourself. To do so, use the dwarfdump program from the usual popular repositories.

For more information about the Dwarf debugging file format or the Dwarf debugging standard (Dwarfstd) and specifications, check out the Dwarf website  [11].

The volatility/tools/linux directory contains all the files you need to create a modules.dwarf. A call to make in this directory generates the file; you now need to compress this with zip along with the system map for the current system:

zip Ubuntu1304_3_8_0_26.zip modules.dwarf/boot/System.map-3.8.0-26-generic

The name of the ZIP file does not matter here, but an intuitive name will help later when you need to select the profile. For Volatility to recognize the ZIP file in the profile selection, you need to copy it to volatility/plugins/overlays/linux. Then ./vol.py --info | grep Linux should immediately show you the desired, newly created profile.

Dumps

The infected memory dump used here is from the Honeynet 2001 Project [12]. The image itself is also available as a download and goes by the name victoria-v8.memdump.img.zip. The probability of such an image working easily on a lab machine with Volatility's kernel modules is very low when you consider the described requirements. For this reason, the following example analyzes the image to obtain more information about the kernel it uses (Listing 3) and discovers the fairly ancient Debian kernel 2.6.26-2.

Listing 3

Two Strings in Use

 

The next task is to install a virtual Debian with kernel 2.6.26-2-686 to create a profile file with the steps described above.

Testing

To determine whether everything is working properly, you can run a simple command that provides information on the installed CPU of the compromised system

vol.py -f victoria-v8.memdump.img --profile LinuxDebian5_26x86 linux_cpuinfo

(Listing 4). Given that this information comes from the memory dump of a system for which we have neither the hardware nor the hard drive, this is quite a remarkable result. The -f parameter passes the name of the memory dump into Volatility, --profile LinuxDebian5_26x86 sets the appropriate profile file, and linux_cpuinfo is the actual command.

Listing 4

vol.py --profile

 

To simplify the somewhat lengthy command line for future work, Volatility lets you export variables:

export VOLATILITY_PROFILE=LinuxDebian5_26x86
export VOLATILITY_LOCATION=file:///tmp/victoria-v8.memdump.img

This keeps the command line clear-cut and short: ./vol.py linux_cpuinfo. All Linux-specific commands begin with linux_; grep commands provide further insights via pipes (Figure 1). Listing 5 provides a selection of the most interesting commands, from mounts and network commands to open ports and the Bash history.

Listing 5

vol.py Commands

 

Figure 1: A grep for "Linux" shows profiles; a grep for "linux" lists the Volatility commands.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Memory Analysis

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News