Linux memory forensics — Memory capture using AVML and analysis using volatility
In the old days we used dd command to point out /dev/mem or /dev/fmem or /dev/kmem as the input source but we cannot do that now. Because there is restriction applied on those memory area and thus you cannot access those. Another alternative way is using LiME — Linux memory extractor. Both the above tools requires some expert level knowledge while working on. Here is the commands if you would like to start with Lime.
Download the repo from the above link. Then give below commands one by one. Once you are done, then start from volatility phase.
git clone https://github.com/504ensicsLabs/LiME.git
cd LiME/src
make
sudo insmod ./lime-5.4.0-148-generic.ko “path=/root/linux64.mem fortmat=raw”
But LiME is not our main focus. The good news is Microsoft has build a tool for linux to capture memory in a very easy way. The tool is called avml.
Key steps:
- Download the tool and capture memory.
- Download volatility.
- Build a custom volatility profile specific to our kernel version.
- Move the zip file to a specific folder under volatility so that it can detect the newly created profile.
From here, just click on avml to download this on that linux machine which memory you want to capture.
After download we need to give executable permission to the avml.
chmod 755 avml
or
chmod +x avml
The good thing is we dont need to provide any flags or options. We just need to provide the output filename. The tool will automatically find the source of the memory that it needs to capture.
The system has a memory of 8 GB. The tool accurately captured the whole memory which you can see 8 GB as well.
Volatility:
Volatility can read .raw, .mem and .dmp image extension as well.
Now go to the following link to download volatility.
And give following command from that linux machine shell:
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
Navigate to tools/linux directory inside volatility. If you use LiME to capture memory image, then you need to follow from here.
As you can see makefile here so we need to compile something. So you need to give make command here.
make
But if you get the following error, that means you need to install dwarfdump.
sudo apt install dwarfdump
Now if we give make command then it would just work fine.
We have created zip archive profile for volatility profile. We need two things for that. One is currently compiled module.dwarf file and another one is debug symbols found in the system.map file in the running kernel.
At this point we have created our zip file. Now we need to place this somewhere that volatility can see it.
Now we need to move our zip file to the above location.
Now go to the volatility directory and give following command:
python vol.py --info | more
We can see that our profile is there. And volatility successfully find it out.
Yes it worked. Now you can analyse it with your skills also you can use yara plugin to find anomaly. Please see my below writeup to help you get started with memory analysis.
Thanks. I hope this blog will help you to capture memory image along with create volatility profile. Please subscribe below.
LinkedIn:
https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/
YouTube: