Generated with deepai.org Linux Profile for Volatility3 On the last article, I talked on how to create a profile for volatility2, click here to check. Now we are doing the same task, but this time, let's update the process to our new memory analysis framework: volatility3 [1]. Running similar steps, we assume that no information was disclosed about the host where acquisition was captured from. Using the banners plugin in volatility3, check the kernel information: $ ./vol.py -f /Cases/memory.raw banners Volatility 3 Framework 2.4.0 Progress: 100.00 PDB scanning finished Offset Banner 0x7d600200 Linux version 5.10.0-19-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.149-2 (2022-10-21) With that information, we can jump to a docker environment and download the necessary packages, compile, and zip our image prof...
Generated with deepai.org Case Brief Imagine the following scenario, you have been given a linux memory dump file and need to proceed with a forensic analysis with your favorite "old" memory forensics framework: volatility2 [1] . No additional information was given what linux distro or version the dump was acquired from, and of course, you need to create your own linux profile for an image because volatility profile list does not include the version of the unknown linux system. Kernel Version We'll use grep with the combination with few tweaks to identify the necessary information. Open terminal and type: $ grep -aib "linux version" memory.raw ... 2125328745:��3-�usbc189:132Ѡ�3 �usbc189:132��3%�usbc189:132���Linux version 5.10.0-19-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.149-2 (2022-10-21)���Command line: BOOT_IMAGE=/boot/vmlinuz-5.10.0-19-amd64 root=...