Linux Memory Forensics - Memory Capture and Analysis

แชร์
ฝัง
  • เผยแพร่เมื่อ 14 มิ.ย. 2024
  • You're likely familiar with many tools that allow us to capture memory from a Windows system, and you may have watched other episodes in which we used Volatility to analyze those captures. But, have you ever wondered how to capture and analyze memory on a Linux system? Well, wait no longer, because that's exactly what we'll cover in this episode!
    ** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
    📖 Chapters
    00:00 - Intro
    02:57 - Microsoft AVML
    05:14 - Volatility Configuration
    09:15 - Volatility Analysis
    11:52 - Recap
    🛠 Resources
    Microsoft AVML:
    github.com/microsoft/avml
    How to Generate a Volatility Profile for a Linux System:
    www.andreafortuna.org/2019/08...
    🖥 Commands Used in This Episode
    Download and run AVML to create memory capture:
    sudo ./avml memory.dmp
    Download Volatility:
    git clone github.com/volatilityfoundati...
    Build custom Volatility profile based upon specific Linux kernel version in use:
    cd ./volatility/tools/linux
    sudo apt install dwarfdump
    make
    cd ../../
    uname -a (show current kernel version)
    sudo zip [DISTRO_KERNEL].zip ./tools/linux/module.dwarf /boot/System.map-[KERNEL VERSION]
    Install custom Volatility profile:
    mv [DISTRO_KERNEL].zip ./volatility/plugins/overlays/linux
    Run Volatility, specifying custom profile, and point at the AVML memory capture:
    ./vol.py --info | more (verify profile is available)
    ./vol.py -f /path/to/memory.dmp --profile=[NEW PROFILE NAME] [PLUGIN]
    #Forensics #DigitalForensics #DFIR #ComputerForensics #LinuxForensics #MemoryForensics
  • วิทยาศาสตร์และเทคโนโลยี

ความคิดเห็น • 47

  • @Superotation
    @Superotation 4 ปีที่แล้ว +28

    Would love more Linux content!

    • @13Cubed
      @13Cubed  4 ปีที่แล้ว +2

      WSL 2 in Windows 10 will make that much easier (and more likely)!

  • @Skaxarrat
    @Skaxarrat หลายเดือนก่อน

    I don't know how many tutorials I have tried until I have found yours, the only one that works. Thanks!

  • @Jai6684
    @Jai6684 3 ปีที่แล้ว +7

    This is really awesome content, kindly do more on Linux forensics please.

  • @CougarESP
    @CougarESP 3 ปีที่แล้ว +1

    Thank you for the great video as always. Compressed, to the point and the important stuff highlighted.

  • @emT__T
    @emT__T 3 ปีที่แล้ว +2

    Excellent explanation + Demo. Great job!

  • @msecure5543
    @msecure5543 4 ปีที่แล้ว +2

    Great video again as always..

  • @erod6092
    @erod6092 4 ปีที่แล้ว +1

    Great Video! Definitely find it useful.

  • @mihaizaharia00
    @mihaizaharia00 2 ปีที่แล้ว +1

    Thank You so much for this tutorial!

  • @playmaker1011
    @playmaker1011 3 ปีที่แล้ว +1

    thank you! waiting for more :)

  • @Nalllyyy
    @Nalllyyy 2 ปีที่แล้ว +1

    thanks for the amazing video mate helped a lot

  • @majidjahangeer181
    @majidjahangeer181 4 ปีที่แล้ว +2

    Up till now I was using Lime which was very tedious. Didn't tried AVML yet but it would be helpful. Great video Richard

  • @Florian-ty5vg
    @Florian-ty5vg 3 ปีที่แล้ว +3

    Please do more about memory forensics, especially on linux!

  • @dalmoveras1930
    @dalmoveras1930 3 ปีที่แล้ว +1

    amazing content!!

  • @kerbalette156
    @kerbalette156 2 ปีที่แล้ว +1

    This is great. Thankyou so much

  • @903leaf
    @903leaf 2 ปีที่แล้ว +1

    thnaks for this video you literally saved my school project

    • @13Cubed
      @13Cubed  2 ปีที่แล้ว

      Well that's awesome :)

  • @maithanhthang9472
    @maithanhthang9472 3 ปีที่แล้ว +1

    Thank author. Video interesting

  • @TheAyamsabung
    @TheAyamsabung 3 ปีที่แล้ว +1

    More please!!

  • @dlandigi
    @dlandigi 3 ปีที่แล้ว +1

    Good One

  • @pepimoser7309
    @pepimoser7309 3 ปีที่แล้ว +1

    Great, thx

  • @Options_99
    @Options_99 11 หลายเดือนก่อน

    Thanks. Here we took the mem dump and installed volatility in same host .. how if i want to analyze in different workstation?

  • @nabbit
    @nabbit 3 ปีที่แล้ว +1

    If you're having an issue with distorm3 not being present when running the pstree process, you'll need to install that (I installed using pip). If you then have issues installing distorm3 (like I did), try installing these: sudo apt-get install build-essential libssl-dev libffi-dev python-dev

  • @nabbit
    @nabbit 3 ปีที่แล้ว +2

    Am I right in thinking that you would still need to be running Volatility/Dwarfdump on the target system in order to build the correct profile?
    My thought to get around that would be to clone the user's hard drive, then boot the clone and install Volatility/dwarfdump to then generate the correct profile.

    • @13Cubed
      @13Cubed  3 ปีที่แล้ว +1

      You could also potentially use another machine with the same kernel version to build the correct profile.

  • @neiltropolis
    @neiltropolis ปีที่แล้ว

    Help? "zip warning: name not matched: ./volatility/tools/linux/module.dwarf" module.dwarf does NOT show up in the linux folder, but system says it is installed. Thank you.

  • @sathishds86ds
    @sathishds86ds 3 ปีที่แล้ว +1

    Nice one.. Any plan for macos memory forensics?

    • @13Cubed
      @13Cubed  3 ปีที่แล้ว

      Yes!

  • @robinhood3841
    @robinhood3841 3 ปีที่แล้ว +1

    Maan damn your so awesome

  • @davidmacfarlane8228
    @davidmacfarlane8228 3 ปีที่แล้ว +1

    Hi Richard... is there any way of deploying AVML from a USB drive? I believe there are issues relating to the FAT file system that prevent this... thanks..

    • @13Cubed
      @13Cubed  3 ปีที่แล้ว

      I've not tried to run AVML from removable media, so to be honest I do not know. Some testing would need to be performed.

    • @ashleythomas771
      @ashleythomas771 3 ปีที่แล้ว +1

      I have just tested this on a USB drive and had zero issues

    • @13Cubed
      @13Cubed  3 ปีที่แล้ว

      @@ashleythomas771 Nice!

    • @williamkeffer8192
      @williamkeffer8192 3 ปีที่แล้ว

      Based on the comment above regarding compromising the system, couldn't you not take this dmp file, and export it to another system? Then use Redline to analyze it?
      Using this from a usb of course

    • @13Cubed
      @13Cubed  3 ปีที่แล้ว

      ​@@williamkeffer8192 I believe he was asking whether or not you could run/execute AVML from removable media. If you are asking if you can take the memory dump and move it to another system for analysis, yes. In real life, that's exactly what you would do (in other words, you would not analyze the memory dump on the system from which it was acquired - this was just a demo/proof of concept). That said, you'd still need the correct Volatility profile in order for the tool to be able to make sense of the memory image. As for Redline 2.0, which now supports Linux/macOS, I have not played with it (yet).

  • @dianamarcelapinoperafan3189
    @dianamarcelapinoperafan3189 3 ปีที่แล้ว

    When I run "python vol.py --info | more", obviously after performing each step, error appears Failed to import volatility.plugins.overlays.linux.linux (ValueError: too many values to unpack)
    and I don't let me create the profile. You can help me please. I don't know why this come out.

    • @13Cubed
      @13Cubed  3 ปีที่แล้ว

      That is interesting. What are the specifications (OS/kernel version) of the machine on which you are trying this? Can you remove/re-clone the repo and try again with a clean start?

  • @kaliswanekajuniarsa8245
    @kaliswanekajuniarsa8245 2 ปีที่แล้ว +1

    when i sudo./avml memory.dmp
    error : unable to read memory
    how to fix the problem

    • @tk_attack
      @tk_attack 2 ปีที่แล้ว +1

      Happened to me, I think I might not have had enough storage space. I had to make a new system on my virtual box with bigger storage space