Checking Kernel release: uname -r
Checking Kernel version: uname -v
Here's a list of commands which you may execute to acquire memory from a *UNIX system:\
-
Download the latest build using:
wget https://github.com/microsoft/avml/releases/download/v0.3.0/avml
wget https://github.com/microsoft/avml/releases/download/v0.3.0/avml-convert
-
Make it an executable:
chmod +x avml
-
Execute the following command to generate a compressed memory image:
sudo ./avml --compress output.lime.compressed
-
To find more such example, visit the AVML repository here; https://github.com/microsoft/avml#capturing-a-memory-image--uploading-to-azure-blob-store
- Clone the repository using:
git clone https://github.com/504ensicsLabs/LiME.git
- Switch into the folder:
cd LiME\src
- Compile the LKM using
make
; You should have the file lime-{kernel_version}.ko object file in the same directory (kernel-specific object file) - Insert the LKM and execute using:
sudo insmod lime-5.8.0-55-generic.ko path=dumped-memory.lime format=lime
- Pull the
linpmem
build using:wget https://github.com/Velocidex/c-aff4/releases/download/v3.3.rc3/linpmem-v3.3-rc3.3-rc2
- Dump the memory using:
sudo ./linpmem-v3.3-rc3.3-rc2 --format raw -m --output mem.raw
- Clone the repository using:
git clone https://github.com/NateBrune/fmem.git
- Switch into the folder:
cd fmem
- Execute the
make
command - Run the script:
sudo ./run.sh
to create the virtual interface,/dev/fmem
Just as acquisition of memory on *UNIX systems requires the kernel version to be matched with the LKM used with it (if any), Volatility also requires a kernel-specific profile to allow analysts to run plugins on top of the memory sample. This step is required to ensure Volatility is able to parse kernel-specific data structures and has the right debug symbols to do so with accuracy.
Here's a list of commands you can use to follow the build process:
- Acquire the latest release of Volatility 2. At the time of release it's:
wget https://github.com/volatilityfoundation/volatility/archive/refs/tags/2.6.1.zip
- Unzip the archive and move into the folder:
unzip 2.6.1.zip && mv volatility-2.6.1
- Head into the tools folder:
cd tools/linux
- Execute the instructions in Makefile using
sudo make
- Ensure you have all tools required to create the module.dwarf file which is the file containing the data structures we need
- One such tool is
dwarfdump
which you can pull usingapt-get install dwarfdump
on an Ubuntu system
- Next, we'll acquire the debug symbols from the current System.map file and zip it along with the module.dwarf file
- Command:
sudo zip $(lsb_release -i -s)_$(uname -r)_profile.zip ~/{VOLATILITY_PATH}/tools/linux/module.dwarf /boot/System.map-$(uname -r)
- Command:
- Move the ZIP file into Volatility's overlays folder:
mv $(lsb_release -i -s)_$(uname -r)_profile.zip ~/{VOLATILITY_PATH}/volatility/plugins/overlays/linux
- Check if your profile is available in Volatility's info: `python vol.py --info'
- For example, for me, it was
LinuxUbuntu_5_8_0-55-generic_profilex64
- For example, for me, it was
- Execute Volatility (using Python2):
python vol.py -f mem.raw --profile=LinuxUbuntu_5_8_0-55-generic_profilex64 linux_bash
That's it. You're good to go!