Memory forensics is a very critical skill set to have to understand about the state of the compromised system. It gives a deep dive insight into the possible attack paths adversaries might have taken. In this post I will document ways to acquire memory from the linux system . In the subsequent posts we will make use of volatility to perform some basic analyses.
AVML is a tool developed by Microsoft to acquire volatile memory dumps from linux based systems. You can download the tool by going to this link
Once downloaded, upload the binary to the suspect system and run following commands to acquire a live image.
It generates the image named output.lime. There are other tools like lime which can be used to extract memory from the suspect system. But for now we will stick to this tool. Now , we are ready to perform the analysis. For this we will use volatility which is an amazing open source tool to perform memory forensics. You can download the tool by cloning the github repo. You should have python installed for volatility to work.
Run the following command to install volatility
Once cloned you can run the volatility by going to volatility directory and using the following command
python vol.py –profile=profilename -f=suspectimage command
Here, we have acquired suspectimage but we still need profilename. We need to install a few tools like dwarfdump and build-essential.
Once these tools are installed clone the volatility from the github in the suspect linux target and run the following commands as shown in the screenshot below.
Now , we are ready to create the profile. For this we need to bundle the dwarf file created from the above step and symbol into zip. We can run the following command to create the profile.
Finally , our profile is created as ubuntu1604.zip. Now, we need to download the profile and place it inside the following folder in our workstation
Now, let’s run the following command to see our newly created profile.
Copy the profile name and use it while performing analyses with volatility. Let’s see which processes were running in the suspect system using the following command. (to be continued)