This article will focus on find and create a profile for specific image that must be done before investigating a memory image file with Volatility.

If you don’t have a suitable profile and you want to investigate the image file of an old distribution, you have to do the tricky steps describing below.

In this article, what Volatility is and in-depth image analysis will not be explained. These could be the subject of another blog post.

Volatility 2 was rewritten in python 3 and renamed Volatility 3. While I prefer between two version, I prefer either one according to difficulty of creating the profile of the image I am working on. To review the differences between them, see the document: Changes between Volatility 2 and Volatility 3

Volatiliy consists of several special plugins that you can run to get a lot of information from a memory dump file.

Table of Contents

    Volatility 2.6

    Installation

    # Dependencies
    sudo apt-get install dwarfdump pcregrep libpcre++-dev python-dev -y
    pip2 install pycrypto distorm3
    git clone https://github.com/volatilityfoundation/volatility.git
    cd volatility/
    python2 vol.py --help
    ## Make volatility command executable
    chmod +x /usr/local/bin/volatility/trunk/vol.py
    ln -s /usr/local/bin/volatility/trunk/vol.py /usr/local/bin/vol26
    which vol26

    Identify the Correct Profile

    • Windows
    volatility2 -f dump.mem imageinfo
    volatility3 -f dump.raw banners
    • Linux
    volatility3 -f dump.raw banners
    strings dump.raw | grep -i 'Linux version' | uniq
    • MacOSX
    volatility2 -f dump.mem mac_get_profile

    Build Your Own Linux Profile

    • Before creating your own profile (Volatility 2) or symbol table (Volatility 3), try to find in the shared ones:
    • By default, Volatility only integrate windows profiles however it is not integrate none for Linux or Mac.
    • A Linux Volatility profile or symbol table is unique to each version of the Linux kernel.
    • The linux distributions are varios and build for varios architectures.
    • A LInux profile is basically used by volatility to find critical informations on the image. It knows how to parse it through a zip file that contains about the kernel’s data structures and debug symbols.
    • This is why profiles are important. Volatility should know the system and architecture from which the memory dump is taken before extracting information.
    • While it is sufficient to download the kernel containing debug symbols in Volatility 3, it is necessary to create the module.dwarf file in Volatility 2. To do this, a distribution with the same kernel version must be installed.
    • When creating a profile for Volatility 2, you can prefer to install from iso file or docker. Using docker will be much more pratictial.

    Red Hat

    • Creating profile is more than difficult in older versions of Red Hat. Therefore you can try do it as describing in Volatility3>Build Your Own Symbol Tables below.
    • If you come across a situation that need to do at Volatility 2, I have explained how to make a difficult example below.
    • In this example we will create Volatility profile for the Red Hat image with the banner information as below.
    Linux version 2.6.32-754.el6.x86_64 (mockbuild@x86-033.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Thu May 24 18:18:25 EDT 2018
    • We will do it with CentOS because we cannot reach the old versions of Red Hat.
    • Happening problems because of being an old distribution version:
      • Broken old package links of yum package manager
      • libdwarf package installation (solution: source install with old version)
      • Broken symbolic link of /lib/modules directory
    • I preferred create a bash script called centos.sh to overcome these problems.
    #!/bin/bash
    
    # Fix broken old package links
    cd /etc/yum.repos.d/
    sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*
    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*
    sed -i 's/enabled=0/enabled=1/g' /etc/yum.repos.d/CentOS-Debuginfo.repo
    #yum update -y
    
    # Install dependencies
    OS=CentOS
    KVER=2.6.32-754.el6.x86_64
    yum install kernel-debuginfo-${KVER} kernel-headers kernel-devel gcc gcc-c++ make elfutils-devel elfutils-libelf-devel git wget zip python2-devel -y
    # Install libdwarf package from source code
    cd / && wget http://www.prevanders.net/libdwarf-20140413.tar.gz --no-check-certificate
    tar xf libdwarf-20140413.tar.gz
    cd dwarf-20140413/
    ./configure
    make dd
    cp dwarfdump/dwarfdump /usr/local/bin && cp dwarfdump/dwarfdump.conf /usr/local/lib && cp libdwarf/libdwarf.a /usr/local/lib
    
    # Fix broken symbolic link
    # Remove the incorrect build location from /lib/modules if exist
    rm -f /lib/modules/${KVER}/build
    # Create Link the kernel source location to the modules build location
    mkdir /lib/modules/${KVER}/
    ln -s /usr/src/kernels/*el6.x86_64/ /lib/modules/${KVER}/build
    
    # Create volatility profile
    cd / && git clone https://github.com/volatilityfoundation/volatility.git
    cd volatility/tools/linux/
    # You must set statically kernel version in while using docker
    sed -i 's/$(shell uname -r)/'"${KVER}"'/g' Makefile
    make
    cd /volatility
    zip volatility/plugins/overlays/linux/${OS}_${KVER}_profile.zip tools/linux/module.dwarf /usr/src/kernels/*el6.x86_64/System.map
    cp /volatility/volatility/plugins/overlays/linux/${OS}_${KVER}_profile.zip /
    • Let’s create a container:
    docker run -it --name centos6.10 centos:6.10 /bin/bash
    • Let’s run the script we prepaired on the contrainer.
    docker exec -i centos6.10 /bin/bash < centos.sh
    • After the script finishes successfully, it moves the created zip archive to under the root directory. You can get this archive on your host machine with docker cp command.
    OS=CentOS
    KVER=2.6.32-754.el6.x86_64
    docker cp centos6.10:/${OS}_${KVER}_profile.zip .
    # Move new profile to plugins directory
    mv ${OS}_${KVER}_profile.zip volatility/plugins/overlays/linux/

    Ubuntu 16.04

    • For Ubuntu 16.04, you can create a container as follows and appy follow the steps in the Manually Creating Profile header in its bash command line step by step.
    • What you should not forget is that while working with docker, the uname -a command in the Makefile does not give the correct result, so you need to do the static version step in the above script.
    sed -i 's/$(shell uname -r)/'"${KVER}"'/g' Makefile

    Manually Creating Profile

    • Install Volatility as in the header of Volatility 2.6>Installation.
    • Go to tools/linux in Volatility directory and run make command:
    sudo apt install linux-image-$(uname -r) linux-headers-$(uname -r)
    cd tools/linux/
    make
      • If you get ERROR: modpost: missing MODULE_LICENSE() error in make command, follow the solution below:
        • The solution is simply to add MODULE_LICENSE("GPL"); as last line in volatility/tools/linux/module.c
      • If you get bin/sh: 1: dwarfdump: not found error in make command, install the dwarfdump package.
        • sudo apt install dwarfdump
    • You should see a new module.dwarf file. You also need the System.map file in the /boot directory as it contains all symbols related to the currently running kernel.
    • To create a custom profile, go back to the Volatility directory and run the following command.
    cd volatility/
    sudo zip volatility/plugins/overlays/linux/$(lsb_release -si)_$(uname -r)_profile.zip tools/linux/module.dwarf /boot/System.map-$(uname -r)
    ll volatility/plugins/overlays/linux/
      • The first argument provides a custom .zip with a filename of your choice.
      • The next argument is the created module.dwarf file above and the last argument is System.map file at /boot directory.
    • If you want to know is Volatility detect this custom profile, run the --info command again. At this time, you should see the new profile listed below.:
    python2 vol.py --info | grep $(uname -r)
    Volatility Foundation Volatility Framework 2.6.1
    LinuxUbuntu_5_15_0-41-generic_profilex64 - A Profile for Linux Ubuntu_5.15.0-41-generic_profile x64

    Start Using Volatility

    General form of the command:

    python2 vol.py -f <memory-dump-file-taken-by-Lime> <plugin-name> --profile=<name-of-our-custom-profile>

    Run linux_banner plugin to see the distribution information:

    python2 vol.py -f ~/LiME/ubuntu_20.04_64bit.mem --profile=LinuxUbuntu_5_15_0-41-generic_profilex64 linux_banner

    Useful Addresses

    Wiki: https://github.com/volatilityfoundation/volatility/wiki
    Volatility Usage: https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
    Command Reference: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
    Volatility Cheat Sheet: https://github.com/volatilityfoundation/volatility/raw/gh-pages/docs/VolatilityCheatSheet.pdf

    Volatility3

    • Volatility 3 does not have a library to consist of linux symbol tables so you cannot work with memory image without create it.
    • You need to use the dwarf2json tool to generate them from the debug kernel.

    Installation

    git clone https://github.com/volatilityfoundation/volatility3.git
    cd volatility3
    pip3 install -r requirements.txt
    # FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/pip3.8'
    # Error fix:
    sudo cp /usr/bin/pip3 /usr/bin/pip3.8
    python3 vol.py -h

    Build Your Own Symbol Tables

    • A kernel with debug symbols is the only suitable tool to recover all information required by most Volatility plugins.
    • Most linux distributions were stripped of the standard kernel debug information and the kernel with the debug information is stored in a package that must be get separately.
    • Use banner plugin to specify the string of the a spesific memory image.
    • Try to find the exact kernel debug package for operating system when the banner is known.
    • Unfortunately each distribution provides its own debug packages under different package names, and there are so many that the distribution may not hold all the old versions of debug symbols and therefore it may not be possible to find the correct symbols for analyzing a linux memory image.
    • Banners must match exactly (including compilation date) for Volatility to use the JSON file.

    Get Ubuntu Debug Symbol Kernel

    codename=$(lsb_release -c | awk '{print $2}')
    printf "deb http://ddebs.ubuntu.com %s main restricted universe multiverse\n" $(lsb_release -sc){,-updates,-proposed} | \
    sudo tee -a /etc/apt/sources.list.d/ddebs.list
    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C8CAB6595FDFF622
    sudo apt update
    sudo apt install linux-image-$(uname -r)-dbgsym
    ll /usr/lib/debug/boot/

    Get Red Hat Debug Symbol Kernel

    • Thanks to the time information found with the Banners plugin, the RHEL version can be found on the Red Hat wikipedia page under the heading Version history and timeline.
    • The rpm package should be found and installed from the CentOS site with the obtained kernel version information and date. http://debuginfo.centos.org/6/x86_64/ (kernel-debuginfo-<kernel-version>.rpm)
    • While installing dependencies, yum package manager repo addresses will not work on older systems. To fix this, the repo file must be changed:
    # https://www.getpagespeed.com/server-setup/how-to-fix-yum-after-centos-6-went-eol
    curl https://www.getpagespeed.com/files/centos6-eol.repo --output /etc/yum.repos.d/CentOS-Base.repo
    yum update

    Other Linux Distribution Symbol Kernels

    Identify the Correct vmlinux File

    • vmlinux file must match the currently running kernel version. This can be verified with uname -r command.
    • vmlinux file should not be confused with “vmlinuz”. “z” indicates that the file is the compressed version of the vmlinux file.
    • vmlinux file location:
      • Ubuntu
    /usr/lib/debug/boot/vmlinux-`uname -r`
      • Red Hat Enterprise Linux, after installing the debug packages, the correct vmlinux file is in the following paths depending on the version:
    /usr/lib/debug/lib/modules/`uname -r`/vmlinux
    /usr/lib/debug/lib/usr/lib/modules/`uname -r`/vmlinux

    dwarf2json

    • Linux and Mac symbol tables can create from a DWARF file using a tool called dwarf2json.
    • To install dwarf2json, golang must be installed.
    • If golang is not installed, you can install it with the quick installation script below:
    # https://github.com/canha/golang-tools-install-script
    wget -q -O - https://git.io/vQhTU | bash
    source ~/.bashrc
    go version
    # dwarf2json
    git clone https://github.com/volatilityfoundation/dwarf2json.git
    cd dwarf2json
    go build
    sudo mv dwarf2json /usr/bin/
    • Create the symbol file and move it to the project directory:
    dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-$(uname -r) > $(uname -n)_$(lsb_release -sr)_$(uname -i)__$(uname -r)_symbol.json`
    mv *_symbol.json <volatility3>/symbols/
    • Test the symbol works with a plugin:
    python3 vol.py -f <dump.mem> linux.pstree.PsTree

    Useful Addresses

    Official Documentation: https://volatility3.readthedocs.io/en/latest/index.html

    I used list items a lot because this article was created from my markdown notes in the Joplin tool. This is my way of taking notes. I will try to move to my blog what I find useful among many notes. Long days and pleasant nights Sai.

    The Gunslinger