Jump to navigation Jump to search
|You are here|
It can happen that the profile is not automatically identified by Volatility.
$ python2 volatility/vol.py -f memory.raw imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with LinuxUbuntu1604x64) AS Layer1 : FileAddressSpace (/data/tmp/memory.raw) PAE type : No PAE DTB : -0x1L
Either the memory dump has been performed on a standard distribution, and chances are that the profile already exists.
Check the existing profiles here
Identify the target
But in some cases, the machine was specific, like in the below example (Ubuntu 16.04.4 with 4.4.0-72-lowlatency kernel).
$ strings memory.raw | grep -i 'Linux version' | uniq Linux version 4.4.0-72-lowlatency ([email protected]) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP PREEMPT Fri Mar 31 15:25:21 UTC 2017 (Ubuntu 4.4.0-72.93-lowlatency 4.4.49) o The intent is to make the tool independent of Linux version dependencies,
Build the profile
In this case, the only way is to build your own profile, with a virtual machine that has the targeted criteria.
Once done, install dwarf:
$ sudo apt install dwarfdump
Also download Volatility from the github repo:
$ git clone https://github.com/volatilityfoundation/volatility.git
Compile the dwarf file:
$ cd ./volatility/tools/linux/ $ make
Now collect and zip both the resulting dwarf profile and the symbols.
$ zip Ubuntu1604lowlatency.zip /data/volatility/tools/linux/module.dwarf /boot/System.map-4.4.0-72-lowlatency
Install the profile
Now, back to your investigation machine, copy the zip file to ./volatility/plugins/overlays/linux/