Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. Memory Forensics
  2. Volatility

Build Custom Linux Profile for Volatility

Build Volatility overlay profile for compromised system (with another version installed, not on the compromised system itself). If you can spin up a virtual machine using a virtual disk/backup/snapshot, or provision a virtual machine using the same kernel, that would be ideal.

In addition to the above, if your EC2 instance is built on a standard AMI, just provision a new instance using the same AMI and install the debug kernel.

Identifying potential kernel candidates and building a specific kernel

You may be in a situation where you have a memory dump, but aren't provided with information about which system it came from, release/build information, kernel information etc.

Using the banners plugin in Volatility3, it's possible to identify potential candidates to assist with building a symbol table.

$ python3 vol.py -f evidence.mem banners
Volatility 3 Framework 2.4.2
Progress:  100.00               PDB scanning finished
Offset  Banner

0x738001a0      Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC  (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)
0x73975d40      Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)

Using this information, deploy an Ubuntu 22.04 virtual machine and use it as a base for our profile.

$ sudo apt update; sudo apt install linux-image-6.2.0-36-generic

Install the corresponding kernel. Reboot. Verify the kernel is installed.

user@ubuntu:~$ uname -a
Linux ubuntu 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

We need to install the corresponding debug symbols for our kernel. We'll add an additional repository, update, and install the appropriate debug symbols.

$ sudo nano /etc/apt/sources.list.d/ddebs.list 

deb http://ddebs.ubuntu.com xxxxx main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-updates main restricted universe multiverse
deb http://ddebs.ubuntu.com xxxxx-proposed main restricted universe multiverse
(replace xxxxx with your release name from 'lsb_release -cs', ie focal, trusty, etc.

wget -O - http://ddebs.ubuntu.com/dbgsym-release-key.asc | sudo apt-key add -

$ sudo apt update
$ sudo apt install linux-image-6.2.0-36-generic-dbgsym
$ sudo shutdown -r now

Now we need to create a symbol table/profile using dwarf2json

$ git clone https://github.com/volatilityfoundation/dwarf2json.git
$ cd dwarf2json.git
$ go build
(if required, or copy precompiled executable)
$ sudo ./dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-6.2.0-36-generic --system-map /boot/System.map-6.2.0-36-generic > Ubuntu22.04-6.2.0-36-generic.json

The above command should complete successfully. Move the new symbol table to your Volatility3 directory, and run isfinfo to ensure it's registered/cached correctly.

$ mv Ubuntu22.04-6.2.0-36-generic.json /path/to/volatility3/symbols/linux
$ python3 vol.py isfinfo
Volatility 3 Framework 2.4.2
Progress:  100.00               PDB scanning finished
URI     Valid   Number of base_types    Number of types Number of symbols       Number of enums Identifying information

<snip>
file:///home/user/volatility3/symbols/linux/Ubuntu22.04-6.2.0-36-generic.json       True (cached)   19      12930   263277  2285    b'Linux version 6.2.0-36-generic (buildd@lcy02-amd64-050) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 (Ubuntu 6.2.0-36.37~22.04.1-generic 6.2.16)\n\x00'

Test your symbol table with your memory dump to ensure it's functioning correctly

$ python3 vol.py -f evidence.mem linux.pslist
Volatility 3 Framework 2.4.2
Progress:  100.00               Stacking attempts finished
OFFSET (V)      PID     TID     PPID    COMM

0x99f7802a1980  1       1       0       systemd
0x99f7802a3300  2       2       0       kthreadd
0x99f7802a6600  3       3       2       rcu_gp
0x99f7802a0000  4       4       2       rcu_par_gp
0x99f7802a4c80  5       5       2       slub_flushwq
0x99f7802b9980  6       6       2       netns
0x99f7802be600  8       8       2       kworker/0:0H
0x99f7802bcc80  10      10      2       mm_percpu_wq
0x99f78033b300  11      11      2       rcu_tasks_kthre

Using dwarf2json to build kernel profiles for Volatility3

For an AmazonLinux EC2 instance (6.1.34-59.116.amzn2023.x84_64)

$ sudo su
$ sudo yum update -y
$ sudo yum --enablerepo='*debuginfo' install kernel-debuginfo-$(uname -r)
$ mkdir /home/ec2-user/volatility3
$ sudo cp /boot/System.map-6.1* /home/ec2-user/volatility3
$ sudo cp /usr/lib/debug/lib/modules/6.1.34-59.116.amzn2023.x86_64/vmlinux /home/ec2-user/volatility3

(grab precompiled version of dwarf2json from this repo https://github.com/kevthehermit/volatility_symbols)

$ wget https://github.com/kevthehermit/volatility_symbols/raw/main/dwarf2json
$ chmod +x dwarf2json
$ ./dwarf2json linux --system-map /path/to/System.map-6.1.34-59.116.amzn2023.x86_64 --elf /path/to/vmlinux > your-name-for-kernel.json
$ cp /path/to/your-name-for-kernel.json /path/to/volatility3/volatility3/symbols/linux
$ python3 vol.py isfinfo (check new profile is registered)
$ python3 vol.py -f ec2mem.mem banners
$ python3 vol.py -f ec2mem.mem linux.pslist

This was the original article for volatility2, using dwarfdump to build an Ubuntu kernel profile.

Download/GitClone volatility

$ cd volatility/tools/linux
$ uname -r 
4.15.0-106-generic
$ sudo make -C /lib/modules/4.15.0-106-generic/build/ CONFIG_DEBUG_INFO=y M=$PWD modules

If you receive an error similar to the following, you need to modify module.c

ERROR: modpost: missing MODULE_LICENSE() in /home/USER/volatility/tools/linux/module.o

$ nano module.c
add the following line to the end of the file, exactly as it appears

MODULE_LICENSE("GPL");

If dwarfdump isn't installed, install it

$ sudo apt install dwarfdump
$ dwarfdump -di ./module.o > module.dwarf
$ sudo zip Ubuntu64-4.15.0.106.zip module.dwarf /boot/System.map-4.15.0-106-generic

Move linux profile to Volatility overlays

$ cp Ubuntu64-4.15.0.106.zip /path/to/volatility/plugins/overlays/linux/

Test Volatility

$ python vol.py --info | grep Linux

Test Volatility with profile

$ python vol.py -f /mnt/volatility/DF/vm-dump.mem --profile=LinuxUbuntu64-4_15_0_106x64 linux_pslist
PreviousVolatility3 core commandsNextGenerate custom profile using btf2json

Last updated 4 months ago

Was this helpful?