Security Post-it #3 – Volatility Linux Profiles
In this short security post-it, I explain how to generate Linux profiles for Volatility 2 and 3, using an ephemeral docker container.
Mar 15, 2021 by Nicolas Béguier
How to generate Linux profiles for Volatility 2 and 3, using an ephemeral docker container
Volatility is a tool supported by the Volatility Foundation and aims to assist the forensic investigator when
analyzing a computer memory dump.
In this article, I'll be focusing on both Volatility 2 & 3.
This security post-it is about generating a new Linux profile for a memory dump. By default, Volatility only integrates Windows profiles, but none for Linux and Mac. A Linux Volatility profile or symbol table is unique for each version of the Linux kernel.
In this article, I'll be focusing on both Volatility 2 & 3.
This security post-it is about generating a new Linux profile for a memory dump. By default, Volatility only integrates Windows profiles, but none for Linux and Mac. A Linux Volatility profile or symbol table is unique for each version of the Linux kernel.
Identify the kernel version
Run the banner plugin of Volatility 3 on your memory dump to display the Linux kernel version:
$ volatility3 -f dump.raw banner
On my example, it's a 4.4.0-72-lowlatency kernel, on an Ubuntu 16.04.4.
Before creating your own profile or symbol table, you may be lucky and find your match in the Volatility 2 profiles repository or the Volatility 3 Pypi project.
$ volatility3 -f dump.raw banner
On my example, it's a 4.4.0-72-lowlatency kernel, on an Ubuntu 16.04.4.
Before creating your own profile or symbol table, you may be lucky and find your match in the Volatility 2 profiles repository or the Volatility 3 Pypi project.
Generating a profile for Volatility 2
A Linux Volatility 2 profile can be generated from valid Linux headers and a System map. You just need the file, not necessarily the operating system booted on it. Using Docker is a good way to get the file into a suitable
environment without starting a virtual machine.
First, clone Volatility 2 to use their Linux tools.
$ git clone https://github.com/volatilityfoundation/volatility $ cd volatility/tools/linux/
I advise you to replace the automatic kernel detection with a static value, which is your target linux kernel, in my case it is 4.4.0-72-lowlatency.
$ sed -i 's/$(shell uname -r)/4.4.0-72-lowlatency/g' Makefile
Next, run a docker container that matches the target operating system, in my case Ubuntu 16.04, and install the necessary packages.
$ docker run -it --rm -v $PWD:/volatility ubuntu:16.04 /bin/bash # apt update && apt install -y linux-image-4.4.0-72-lowlatency linux-headers-4.4.0-72-lowlatency build-essential dwarfdump make zip # cd /volatility/
Finally, create the dwarf file with the volatility tool.
# make Create a zip archive containing the dwarf file and the System map.
# zip Ubuntu1604.zip module.dwarf /boot/System.map-4.4.0-72-lowlatency You now have an Ubuntu1604.zip archive containing the correct profile.
# exit $ cp Ubuntu1604.zip <volatility>/plugins/overlays/linux/
Your profile is ready, you can check that Volatility has loaded it with the following command:
$ volatility --info | grep Profile
First, clone Volatility 2 to use their Linux tools.
$ git clone https://github.com/volatilityfoundation/volatility $ cd volatility/tools/linux/
I advise you to replace the automatic kernel detection with a static value, which is your target linux kernel, in my case it is 4.4.0-72-lowlatency.
$ sed -i 's/$(shell uname -r)/4.4.0-72-lowlatency/g' Makefile
Next, run a docker container that matches the target operating system, in my case Ubuntu 16.04, and install the necessary packages.
$ docker run -it --rm -v $PWD:/volatility ubuntu:16.04 /bin/bash # apt update && apt install -y linux-image-4.4.0-72-lowlatency linux-headers-4.4.0-72-lowlatency build-essential dwarfdump make zip # cd /volatility/
Finally, create the dwarf file with the volatility tool.
# make Create a zip archive containing the dwarf file and the System map.
# zip Ubuntu1604.zip module.dwarf /boot/System.map-4.4.0-72-lowlatency You now have an Ubuntu1604.zip archive containing the correct profile.
# exit $ cp Ubuntu1604.zip <volatility>/plugins/overlays/linux/
Your profile is ready, you can check that Volatility has loaded it with the following command:
$ volatility --info | grep Profile
Generating a profile for Volatility 3
There is no profile in Volatility 3, and you could not create a symbol table from a Volatility 2 profile.
First, you need to clone the dwarf2json repository which allows to get a json file from an elf file. Build the go binary before running the docker container.
$ git clone https://github.com/volatilityfoundation/dwarf2json $ cd dwarf2json/ $ go mod download github.com/spf13/pflag $ go build
Then you need to download the debug symbols from the target Linux kernel. Several methods are possible to get it, but I recommend to google it and to download it manually. In my case, it was available on the official Ubuntu mirrors.
$ wget http://launchpadlibrarian.net/313821743/linux-image-4.4.0-72-lowlatency-dbgsym_4.4.0-72.93_amd64.ddeb
Next, run a docker container that matches the target operating system, in my case Ubuntu 16.04, and install the debug symbols.
$ docker run -it --rm -v $PWD:/volatility ubuntu:16.04 /bin/bash # dpkg -i /volatility/linux-image-4.4.0-72-lowlatency-dbgsym_4.4.0-72.93_amd64.ddeb
Run the dwarf2json binary to generate the symbol table.
# /volatility/dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-72-lowlatency > linux-image-4.4.0-72-lowlatency-amd64.json # exit
Find the volatility3 symbols directory and move your symbol table in it.
$ volatility3 -vvv -f dump.raw banner Volatility 3 Framework 1.0.1 INFO root : Volatility plugins path: ['<volatility3>/framework/plugins'] INFO root : Volatility symbols path: ['<volatility3>/symbols'] $ cp linux-image-4.4.0-72-lowlatency-amd64.json <volatility3>/symbols/
Your symbols are ready, you can check that Volatility has loaded it with the following command:
$ volatility3 -f dump.raw linux.pstree.PsTree
First, you need to clone the dwarf2json repository which allows to get a json file from an elf file. Build the go binary before running the docker container.
$ git clone https://github.com/volatilityfoundation/dwarf2json $ cd dwarf2json/ $ go mod download github.com/spf13/pflag $ go build
Then you need to download the debug symbols from the target Linux kernel. Several methods are possible to get it, but I recommend to google it and to download it manually. In my case, it was available on the official Ubuntu mirrors.
$ wget http://launchpadlibrarian.net/313821743/linux-image-4.4.0-72-lowlatency-dbgsym_4.4.0-72.93_amd64.ddeb
Next, run a docker container that matches the target operating system, in my case Ubuntu 16.04, and install the debug symbols.
$ docker run -it --rm -v $PWD:/volatility ubuntu:16.04 /bin/bash # dpkg -i /volatility/linux-image-4.4.0-72-lowlatency-dbgsym_4.4.0-72.93_amd64.ddeb
Run the dwarf2json binary to generate the symbol table.
# /volatility/dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-4.4.0-72-lowlatency > linux-image-4.4.0-72-lowlatency-amd64.json # exit
Find the volatility3 symbols directory and move your symbol table in it.
$ volatility3 -vvv -f dump.raw banner Volatility 3 Framework 1.0.1 INFO root : Volatility plugins path: ['<volatility3>/framework/plugins'] INFO root : Volatility symbols path: ['<volatility3>/symbols'] $ cp linux-image-4.4.0-72-lowlatency-amd64.json <volatility3>/symbols/
Your symbols are ready, you can check that Volatility has loaded it with the following command:
$ volatility3 -f dump.raw linux.pstree.PsTree