VOLATILITY AND LIME ON UBUNTU 14.04

I recently decided to try out Volatility on Linux, and in general – for the first time ever. I figured it was time to step it up and actually try to figure out how to make it work since most everyone I know hasn’t ever used it before.
This tutorial will be fairly high level – I’m not going to hold your had through everything but most of the info to get Volatility working with memory dumps will be provided. The set up can be a little confusing, so I wanted to make a more strait forward guide. That being said, keep in mind that I am doing this on an Ubuntu 14.04 LTS with the specific kernel in that distro. Volatility is compatible with most kernels but not all and just because something works on my system doesn’t mean it must work on everyone’s.
I’m using Volatility 2.2 and will be working from my home director, FYI
A lot of these instructions can be found on Volatility’s site:
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
1)
Download Dependencies:
– Python (obviously):
apt-get install python2.7
– Dwarfdump:
apt-get install dwarfdump
– GCC/make:
apt-get install build-essential
– Headers for building kernel modules: apt-get install linux-headers-`uname -r`
NOTE: There are other python libraries that will need to be imported in order to use some of the plugins. Comprehensive lists can be found online.
2)
Download Volatility:
wget the latest release from https://code.google.com/p/volatility/downloads/list
Make sure to pull the tar.gz file and not the .exe
wget
tar -xzvf
cd volatility-2.2
You can either use the install script (install.py) or just work out of the local directory.
Installing will allow you to import the libraries into other scripts you make, however it’s harder to manage as there is no uninstall script, so you have to do it manually whenever you want to upgrade. Version control is easier without installing. For example, the day after I downloaded Volatility 2.2, 2.3 was released. All I had to do was download the new version and move my kernel profile (explained later)🙂
*I will be running the vol.py script from the directory it resides using python. I choose not to install it.
3)
Make Profile/ Kernel vtypes:
For Ubuntu 13 module.c is wrong. You must change “#include <linux/net_namespace.h>” in the module.c file to “#include <net/net_namespace.h>”
cd ~/volatility-2.2/tools/linux
make
head module.dwarf
(If this didn’t work look at what I wrote before the commands ^^…)
Now you need to make a profile (it’s just a zip of you module.dwarf and System.map files):
*Make sure to name the zip file something memorable. I called mine “Ubuntu13”.
sudo zip ~/volatility-2.2/volatility/plugins/overlays/linux/Ubuntu13.zip ~/volatility-2.2/tools/linux/module.dwarf /boot/System.map-3.13.0-32-generic
adding: home//volatility-2.2/tools/linux/module.dwarf (deflated 90%)
adding: boot/System.map-3.13.0-32-generic (deflated 79%)
4)
Check to see if your profile exists:
sudo python ./vol.py --info | grep Linux
5)
Volatility requires a memory dump to work with. Volatility cannot do this itself so you must use LiME to make the dump. LiME is a kernal module that performs this action.
Extract and compile:
wget unzip
cd /LiME-master/src
make
make -C /lib/modules/3.13.0-32-generic/build M=/home//Downloads/LiME-master/src modules
make[1]: Entering directory `/usr/src/linux-headers-3.13.0-32-generic’
CC [M] /home//Downloads/LiME-master/src/tcp.o
CC [M] /home//Downloads/LiME-master/src/disk.o
CC [M] /home//Downloads/LiME-master/src/main.o
LD [M] /home//Downloads/LiME-master/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /home//Downloads/LiME-master/src/lime.mod.o
LD [M] /home//Downloads/LiME-master/src/lime.ko
make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-32-generic’
strip –strip-unneeded lime.ko
mv lime.ko lime-3.13.0-32-generic.ko
sudo insmod lime-3.13.0-32-generic.ko "path=/home//ubuntu.lime format=lime"
The memory dump shows up as “ubuntu.lime” in my home directory:
ls ~/
Desktop Downloads Music Public ubuntu.lime volatility-2.2
Documents examples.desktop Pictures Templates Videos
The command to dump memory:
sudo insmod lime-3.13.0-32-generic.ko "path=/home//ubuntu.lime format=lime"
Plugins are different uses for Volatility with memory dumps.
List Volatility Plugins:
python ./vol.py --info | grep -i linux_
Using plugins (format):
python vol.py -f --profile= plugin_name

Example:
sudo python ./vol.py -f ../ubuntu.lime --profile=LinuxUbuntu13x64 linux_memmap
Refer:
https://samsclass.info/121/proj/p4-Volatility.htmhttps://samsclass.info/121/proj/p2-RAM-Img.htm

Nhận xét

Bài đăng phổ biến