Volatility is a tool supported by the Volatility Foundation and aims to assist forensic investigators when analyzing a computer memory dump. This article covers both Volatility 2 & 3.

This post-it is about generating a new Linux profile for a memory dump. By default, Volatility only integrates Windows profiles — none for Linux or Mac. A Linux Volatility profile or symbol table is unique for each version of the Linux kernel.

Identify the kernel version

Run the banner plugin of Volatility 3 on your memory dump to display the Linux kernel version:

$ volatility3 -f dump.raw banner

In my example, it's a 4.4.0-72-lowlatency kernel on Ubuntu 16.04.4. Before creating your own profile, you may find your match in the Volatility 2 profiles repository or the Volatility 3 PyPI project.

Generating a profile for Volatility 2

A Linux Volatility 2 profile can be generated from valid Linux headers and a System map. Using Docker is a good way to get the files into a suitable environment without starting a full virtual machine.

Clone Volatility 2 to use their Linux tools and patch the Makefile to target your kernel version:

$ git clone https://github.com/volatilityfoundation/volatility $ cd volatility/tools/linux/ $ sed -i 's/$(shell uname -r)/4.4.0-72-lowlatency/g' Makefile

Run a Docker container matching the target OS (Ubuntu 16.04) and install the necessary packages:

$ docker run -it --rm -v $PWD:/volatility ubuntu:16.04 /bin/bash # apt update && apt install -y linux-image-4.4.0-72-lowlatency linux-headers-4.4.0-72-lowlatency build-essential dwarfdump make zip # cd /volatility/

Create the dwarf file with the Volatility tool, then zip it with the System map:

# make # zip Ubuntu1604.zip module.dwarf /boot/System.map-4.4.0-72-lowlatency # exit

Copy the profile to the Volatility overlays directory and verify it loaded:

$ cp Ubuntu1604.zip <volatility>/plugins/overlays/linux/ $ volatility --info | grep Profile

Generating a profile for Volatility 3

There are no profiles in Volatility 3 — you need to generate a symbol table using dwarf2json, which converts ELF debug symbols to JSON. Build it first:

$ git clone https://github.com/volatilityfoundation/dwarf2json $ cd dwarf2json/ $ go mod download github.com/spf13/pflag $ go build

Download the debug symbols for your target kernel. In my case they were available on official Ubuntu mirrors:

$ wget http://launchpadlibrarian.net/313821743/linux-image-4.4.0-72-lowlatency-dbgsym_4.4.0-72.93_amd64.ddeb

Run a Docker container and install the debug symbols, then generate the symbol table:

$ docker run -it --rm -v $PWD:/volatility ubuntu:16.04 /bin/bash # dpkg -i /volatility/linux-image-4.4.0-72-lowlatency-dbgsym_4.4.0-72.93_amd64.ddeb # /volatility/dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-72-lowlatency > linux-image-4.4.0-72-lowlatency-amd64.json # exit

Find the Volatility 3 symbols directory (visible with -vvv):

$ volatility3 -vvv -f dump.raw banner Volatility 3 Framework 1.0.1 INFO root : Volatility plugins path: ['<volatility3>/framework/plugins'] INFO root : Volatility symbols path: ['<volatility3>/symbols']

Copy the symbol table and verify it works:

$ cp linux-image-4.4.0-72-lowlatency-amd64.json <volatility3>/symbols/ $ volatility3 -f dump.raw linux.pstree.PsTree