From aldeid
Jump to navigation Jump to search
You are here
Custom profiles


It can happen that the profile is not automatically identified by Volatility.

$ python2 volatility/vol.py -f memory.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : No suggestion (Instantiated with LinuxUbuntu1604x64)
                     AS Layer1 : FileAddressSpace (/data/tmp/memory.raw)
                      PAE type : No PAE
                           DTB : -0x1L

Standard profiles

Either the memory dump has been performed on a standard distribution, and chances are that the profile already exists.

Check the existing profiles here

Custom profile

Identify the target

But in some cases, the machine was specific, like in the below example (Ubuntu 16.04.4 with 4.4.0-72-lowlatency kernel).

$ strings memory.raw | grep -i 'Linux version' | uniq
Linux version 4.4.0-72-lowlatency ([email protected]) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP PREEMPT Fri Mar 31 15:25:21 UTC 2017 (Ubuntu 4.4.0-72.93-lowlatency 4.4.49)
 o  The intent is to make the tool independent of Linux version dependencies,

Build the profile

In this case, the only way is to build your own profile, with a virtual machine that has the targeted criteria.

Once done, install dwarf:

$ sudo apt install dwarfdump

Also download Volatility from the github repo:

$ git clone https://github.com/volatilityfoundation/volatility.git

Compile the dwarf file:

$ cd ./volatility/tools/linux/
$ make

Now collect and zip both the resulting dwarf profile and the symbols.

$ zip Ubuntu1604lowlatency.zip /data/volatility/tools/linux/module.dwarf /boot/System.map-4.4.0-72-lowlatency

Install the profile

Now, back to your investigation machine, copy the zip file to ./volatility/plugins/overlays/linux/