Linux Memory Forensics - Memory Capture and Analysis
ฝัง
- เผยแพร่เมื่อ 14 มิ.ย. 2024
- You're likely familiar with many tools that allow us to capture memory from a Windows system, and you may have watched other episodes in which we used Volatility to analyze those captures. But, have you ever wondered how to capture and analyze memory on a Linux system? Well, wait no longer, because that's exactly what we'll cover in this episode!
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
📖 Chapters
00:00 - Intro
02:57 - Microsoft AVML
05:14 - Volatility Configuration
09:15 - Volatility Analysis
11:52 - Recap
🛠 Resources
Microsoft AVML:
github.com/microsoft/avml
How to Generate a Volatility Profile for a Linux System:
www.andreafortuna.org/2019/08...
🖥 Commands Used in This Episode
Download and run AVML to create memory capture:
sudo ./avml memory.dmp
Download Volatility:
git clone github.com/volatilityfoundati...
Build custom Volatility profile based upon specific Linux kernel version in use:
cd ./volatility/tools/linux
sudo apt install dwarfdump
make
cd ../../
uname -a (show current kernel version)
sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]
Install custom Volatility profile:
mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux
Run Volatility, specifying custom profile, and point at the AVML memory capture:
./vol.py --info | more (verify profile is available)
./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]
#Forensics #DigitalForensics #DFIR #ComputerForensics #LinuxForensics #MemoryForensics - วิทยาศาสตร์และเทคโนโลยี
Would love more Linux content!
WSL 2 in Windows 10 will make that much easier (and more likely)!
I don't know how many tutorials I have tried until I have found yours, the only one that works. Thanks!
This is really awesome content, kindly do more on Linux forensics please.
Thank you for the great video as always. Compressed, to the point and the important stuff highlighted.
Excellent explanation + Demo. Great job!
Great video again as always..
Great Video! Definitely find it useful.
Thank You so much for this tutorial!
thank you! waiting for more :)
thanks for the amazing video mate helped a lot
Up till now I was using Lime which was very tedious. Didn't tried AVML yet but it would be helpful. Great video Richard
Please do more about memory forensics, especially on linux!
amazing content!!
This is great. Thankyou so much
thnaks for this video you literally saved my school project
Well that's awesome :)
Thank author. Video interesting
More please!!
Good One
Great, thx
Thanks. Here we took the mem dump and installed volatility in same host .. how if i want to analyze in different workstation?
If you're having an issue with distorm3 not being present when running the pstree process, you'll need to install that (I installed using pip). If you then have issues installing distorm3 (like I did), try installing these: sudo apt-get install build-essential libssl-dev libffi-dev python-dev
Am I right in thinking that you would still need to be running Volatility/Dwarfdump on the target system in order to build the correct profile?
My thought to get around that would be to clone the user's hard drive, then boot the clone and install Volatility/dwarfdump to then generate the correct profile.
You could also potentially use another machine with the same kernel version to build the correct profile.
Help? "zip warning: name not matched: ./volatility/tools/linux/module.dwarf" module.dwarf does NOT show up in the linux folder, but system says it is installed. Thank you.
Nice one.. Any plan for macos memory forensics?
Yes!
Maan damn your so awesome
Hi Richard... is there any way of deploying AVML from a USB drive? I believe there are issues relating to the FAT file system that prevent this... thanks..
I've not tried to run AVML from removable media, so to be honest I do not know. Some testing would need to be performed.
I have just tested this on a USB drive and had zero issues
@@ashleythomas771 Nice!
Based on the comment above regarding compromising the system, couldn't you not take this dmp file, and export it to another system? Then use Redline to analyze it?
Using this from a usb of course
@@williamkeffer8192 I believe he was asking whether or not you could run/execute AVML from removable media. If you are asking if you can take the memory dump and move it to another system for analysis, yes. In real life, that's exactly what you would do (in other words, you would not analyze the memory dump on the system from which it was acquired - this was just a demo/proof of concept). That said, you'd still need the correct Volatility profile in order for the tool to be able to make sense of the memory image. As for Redline 2.0, which now supports Linux/macOS, I have not played with it (yet).
When I run "python vol.py --info | more", obviously after performing each step, error appears Failed to import volatility.plugins.overlays.linux.linux (ValueError: too many values to unpack)
and I don't let me create the profile. You can help me please. I don't know why this come out.
That is interesting. What are the specifications (OS/kernel version) of the machine on which you are trying this? Can you remove/re-clone the repo and try again with a clean start?
when i sudo./avml memory.dmp
error : unable to read memory
how to fix the problem
Happened to me, I think I might not have had enough storage space. I had to make a new system on my virtual box with bigger storage space