Creating Linux Profiles for Volatility2

Generated with deepai.org

Case Brief

Imagine the following scenario, you have been given a linux memory dump file and need to proceed with a forensic analysis with your favorite "old" memory forensics framework: volatility2 [1]. No additional information was given what linux distro or version the dump was acquired from, and of course, you need to create your own linux profile for an image because volatility profile list does not include the version of the unknown linux system.

Kernel Version

We'll use grep with the combination with few tweaks to identify the necessary information. Open terminal and type:

$ grep -aib "linux version" memory.raw

...

2125328745:��3-�usbc189:132Ѡ�3�usbc189:132��3%�usbc189:132���Linux version 5.10.0-19-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.149-2 (2022-10-21)
���Command line: BOOT_IMAGE=/boot/vmlinuz-5.10.0-19-amd64 root=UUID=0d9f00ae-0f69-4e1f-b24c-8f2fba484df5 ro quiet���x86/fpu:

...

Explaining:

• -a: Process a binary file as if it were text;
• -i: Ignore case (case insensitive);
• -b: Byte offset, in case you need it.

Now, we have a really strong clue of what kernel version this memory acquisition was taken from, let's dig into that. Check for the following reference in your output:

Linux version 5.10.0-19-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.149-2 (2022-10-21)

From my output, I was able to identify that this memory file was acquired from a debian 10.2.1-6 running under linux kernel version 5.10.0-19-amd64. This is the information needed to proceed with the next steps.

Docker and Deb Files

For this scenario I'll be using docker to run a single instance of ubuntu to create a profile for our debian system. That's because I don't want to install packages and dependencies in my host OS and end up breaking anything.

• Obs.: This post will not guide you how to install docker.

We will need a few tools to accomplish this task. We need wget or curl (your choice) to download the deb files from debian repository. Once the update process is completed, you now can download and install your packages accordingly:

Pull ubuntu docker image:

$ docker pull ubuntu

Run your ubuntu instance:

$ docker run -it --rm -v $PWD:/home/vol ubuntu /bin/bash

Once in ubuntu, install wget or curl and git.

root@cdcf51ec8eb0:/# apt update

To proceed with the correct compilation of kernel symbols, the following packages needs to be installed.

root@cdcf51ec8eb0:/# apt install -y wget git build-essential zip make dwarfdump gcc-10

Clone volatility2 framework from github:

root@cdcf51ec8eb0:/# git clone https://github.com/volatilityfoundation/volatility

root@cdcf51ec8eb0:/# cd /volatility/tools/linux

Replace your make compilation directives with the information acquired previously from memory image. We'll use sed for that task.

root@cdcf51ec8eb0:/volatility/tools/linux/# sed -i 's/$(shell uname -r)/5.10.0-19-amd64/g' Makefile

• From: KVER ?= $(shell uname -r)
• To: KVER ?= 5.10.0-19-amd64

Download the deb files related to the kernel image you're building your profile. Let's download them to /tmp folder:

root@cdcf51ec8eb0:/# cd /tmp

root@cdcf51ec8eb0:/tmp# wget http://ftp.debian.org/debian/pool/main/l/linux/linux-headers-5.10.0-19-amd64_5.10.149-2_amd64.deb http://ftp.debian.org/debian/pool/main/l/linux/linux-image-5.10.0-19-amd64-dbg_5.10.149-2_amd64.deb http://ftp.debian.org/debian/pool/main/l/linux/linux-headers-5.10.0-19-common_5.10.149-2_all.deb http://ftp.debian.org/debian/pool/main/l/linux/linux-kbuild-5.10_5.10.140-1_amd64.deb

Install de packages manually:

root@cdcf51ec8eb0:/tmp# dpkg --force-all -i linux*deb

If error messages shows up, just ignore it. Switch back to volatility folder and run make:

root@cdcf51ec8eb0:/tmp# cd /volatility/tools/linux

root@cdcf51ec8eb0:/volatility/tools/linux# make

If all proceeds with no error, you shall have a module.dwarf for your new image profile.

Compress everything into a new profile and move the zip to the path on docker run command (/home/vol):

root@cdcf51ec8eb0:/volatility/tools/linux# zip -rj Debian-10.2_kernel-5.10.0-19-amd64.zip module.dwarf /usr/lib/debug/boot/System.map-5.10.0-19-amd64

  adding: module.dwarf (deflated 91%)

  adding: System.map-5.10.0-19-amd64 (deflated 80%)

root@cdcf51ec8eb0:/volatility/tools/linux# mv Debian-10.2_kernel-5.10.0-19-amd64.zip /home/vol/

Exit docker and move your new profile to your local instance of volatility/plugins/overlay/linux. In my case I've installed in /opt:

$ sudo cp Debian-10-5.10.0-19-amd64.zip /opt/volatility/volatility/plugins/overlays/linux/

Test New Profile

Check if the new profile is displayed upon executing volatility2 with --info option. Don't forget to grep:

$ cd /opt/volatility

$ python2 vol.py --info | grep -i debian

$ python2 vol.py --info | grep -i debian

Volatility Foundation Volatility Framework 2.6.1

LinuxDebian-10_2_kernel-5_10_0-19-amd64x64 - A Profile for Linux Debian-10.2_kernel-5.10.0-19-amd64 x64

The final test, let's check the list of running processes with the support of linux_pslist plugin:

$ python2 vol.py -f /mnt/x/Cases/LINUX/snap3/memory.raw --profile=LinuxDebian-11-5_10_0-19-amd64x64 linux_pslist

Volatility Foundation Volatility Framework 2.6.1

WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes

WARNING : volatility.debug    : Overlay structure cpuinfo_x86 not present in vtypes

Offset             Name                 Pid             PPid            Uid             Gid    DTB                Start Time

------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------

0xffff9956c121bc00 systemd              1               0               0               0      0x0000000002d2c000 2022-10-26 22:55:52 UTC+0000

0xffff9956c121da00 kthreadd             2               0               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

0xffff9956c1218000 rcu_gp               3               2               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

0xffff9956c1219e00 rcu_par_gp           4               2               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

0xffff9956c1249e00 kworker/0:0          5               2               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

0xffff9956c124bc00 kworker/0:0H         6               2               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

0xffff9956c124da00 kworker/u256:0       7               2               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

0xffff9956c1248000 mm_percpu_wq         8               2               0               0      ------------------ 2022-10-26 22:55:52 UTC+0000

...

0xffff9956c31a3c00 systemd              732             1               0               0      0x00000000054fa000 2022-10-26 22:57:22 UTC+0000

0xffff9956c4e49e00 (sd-pam)             733             732             0               0      0x000000000494a000 2022-10-26 22:57:22 UTC+0000

0xffff9956f618bc00 bash                 738             589             0               0      0x0000000004efa000 2022-10-26 22:57:22 UTC+0000

0xffff9956f5ae9e00 avml                 777             738             0               0      0x0000000004f16000 2022-10-26 23:00:52 UTC+0000

Voilá!

Question

Can you spot the program used to dump the memory? I'll bring this to a next blog post.

References

• [1] https://github.com/volatilityfoundation/volatility
• [2] https://beguier.eu/nicolas/articles/security-tips-3-volatility-linux-profiles.html
• [3] http://ftp.debian.org/debian/pool/main/l/linux/
• [4] https://github.com/volatilityfoundation/volatility/wiki/Linux