Linux Memory Capture and Analysis - Volatility Tutorial for Linux Memory Forensics
ฝัง
- เผยแพร่เมื่อ 20 มิ.ย. 2024
- You're likely familiar with many tools that allow us to capture memory from a Windows system. But, have you ever wondered memory capture process for Linux system? And how can you analyse them using Volatility? Well, wait no longer, because that's exactly what we'll cover in this episode! I will show you the easiest process to perform memory capture for a Linux system and how to prepare your volatility tool to parse that memory dump to extract valuable information at the time of doing forensics investigation!
🔗LINKS FOR YOUR REQUIREMENTS-
-------------------------------------------------------------------------------------------------------------------------
👉AVML Tool- github.com/microsoft/avml
👉Volatility Tool- github.com/volatilityfoundation
🔥🔥🔥🔥🔥
Check-out my Free InfoSec Resource Fusion- bit.ly/3vOFarG
🔥🔥🔥🔥🔥
WATCH BELOW AS WELL 🔥🔥🔥🔥🔥
-------------------------------------------------------------------------------------------------------------------------
IR Flash 👉 • How to Collect System ...
Access Incident Response Full Training Course👉 bit.ly/2OKQaFP
Check out Malware Investigation Part1👉 • Creation of Malware An...
Check out Malware Investigation Part2👉 • Malware Analysis Bootc...
BlackPerl Forensics Episodes👉 bit.ly/3pgpqsG
How do I prepare my timeline👉 • Supply-Chain Attack | ...
Decoding JavaScript codes for Incident Response👉 • Finding and Decoding M...
Lean Yara Here 👉 • How to Create Yara || ...
🖥
Command We ran in this episode-
-------------------------------------------------------------------------------------------------------------------------
After downloading AVL-
1. file avml
2. chmod 755 avml
3. sudo ./avml memory.raw
Create Volatility Linux Profile-
1. cd ./volatility/tools/linux
2. sudo apt install make
3. sudo apt install gcc
4. sudo apt install dwarfdump
5. sudo zip [distro kernel].zip ./tools/linux/module.dwarf /boot/[kernel version]
6. mv [distro kernel].zip ./volatility/plugins/overlays/linux/
Mount the second volume(the infected machine)-
1. lsblk
2. sudo file -s /dev/xvdf1
3. sudo mkdir /mnt/linux_mount
4. sudo mount -o ro /dev/xvdf1 /mnt/linux_mount
⌚
Timelines
-------------------------------------------------------------------------------------------------------------------------
0:00 ⏩ Intro
1:01 ⏩ Login to Ubuntu VMs
1:51 ⏩ Download AVML & Dump Memory
5:34 ⏩ Download Volatility & Make Linux Profile
16:58 ⏩ Transfer memory dump to forensic workstation
24:39 ⏩ Run Volatility on Linux Memory Dump
26:33 ⏩ Summarize, Automation & TEASER
📞📲
FOLLOW ME EVERYWHERE-
-------------------------------------------------------------------------------------------------------------------------
✔ LinkedIn: / blackperl
✔ You can reach out to me personally in LinkedIn as well- bit.ly/38ze4L5
✔ Twitter: @blackperl_dfir
✔ Insta: (blackperl_dfir) / blackperl_dfir
✔ Can be reached via blackperl_dfir@yahoo.com
SUPPORT BLACKPERL
-------------------------------------------------------------------------------------------------------------------------
╔═╦╗╔╦╗╔═╦═╦╦╦╦╗╔═╗
║╚╣║║║╚╣╚╣╔╣╔╣║╚╣═╣
╠╗║╚╝║║╠╗║╚╣║║║║║═╣
╚═╩══╩═╩═╩═╩╝╚╩═╩═╝
➡️ SUBSCRIBE, Share, Like, Comment
☕ Buy me a Coffee 👉 www.buymeacoffee.com/BlackPerl
📧 Sponsorship Inquiries: archan.fiem.it@gmail.com
-------------------------------------------------------------------------------------------------------------------------
🙏 Thanks for watching!! Be CyberAware!! 🤞
#dfir #linux #volatility #blackperl - วิทยาศาสตร์และเทคโนโลยี
![เก่งแต่ลับหลัง (FINSTA) - ส้ม มารี (Zom Marie) Ft. Punch 4EVE [Official MV]](http://i.ytimg.com/vi/OOolBU2aC70/mqdefault.jpg)
Amazing content. This will help to prepare the forensics runbook right away for us! Thanks for making it. Looking forward for more linux contents..
Thank you for the feedback! Please stay tuned!
The intro is amazing!! Great!!
Thank you!
Lovely Episode!!
Changing any thing in the infected can lead to loss of evidence ,is it true?? If so you said running an apt command can change lot and sometime ask for a reboot also .so is it a recommended action to reboot the server before taking memory dump or change any parameters as it can flush the TCP dump also ?
Yes, you are right.. Changing things in evidence system might have a chance to override potential data which might create issues later while doing investigation.
And you should never do a reboot before capturing memory dump. For my case, since I was starting fresh I did a apt get update, but in actual world and incident, you MUST not do it. You can just dump the AVML file and run it. Running AVML won't push much fingerprint on the system and it works in kernel mode, so not much will be shifted from memory, so we are good!
Good Episode.
you can make a video on the tool redline also.
Thanks for the suggestion, Buddy. Will do.
help, how do I do the same analysis with python 3?
You need to use Volatility3 if you want to use python3. Volatility2 doesn't support python3, I believe
@@BlackPerl
Yes, I understand the point, I have analyzed wundows ram dumps with volatility3, but I have not been able to analyze linux ram dumps with volatility3. Have you done it? Thanks for your answer
@@carlosdanielbedoyramos4419 No, I don't use vol3 much since it's still in early stage, so not matured enough
Hi i was following your tutorial but stuck on zip file parsing i am getting the error , i think the issues with system kernel name , please advise
sudo zip kali_5.17.0-kali3-cloud-amd64.zip ./volatility/tools/linux/module.dwarf /boot/System.map 5.17.0-kali3-cloud-amd64
zip warning: name not matched: /boot/System.map
zip warning: name not matched: 5.17.0-kali3-cloud-amd64
adding: volatility/tools/linux/module.dwarf (deflated 91%)
It seems to be a warning and not a hard error. Please try using the profile with a memory dump. Also, make sure you have the correct name in of system map under /boot directory
@@BlackPerl Thanks its working yes its correct name in of system map
Why make a snap shot and etc to do the memory dump file transfer . why not just transfer it normally like using a python http server.
Yes, you can transfer any way you like. But at times, your fileight be 10GB or more, so transferring via online server will take huge amount of time. Also, your compliance will not support sending data through internet.
So the easiest and safest option is to take snapshot and do within aws
This does not work for Linux Ubuntu22.04 though. It works until 18.04, maybe 20.04
Need to make small configuration change in make file. It will work
OMG!! Are you THOR ? LOL..
Anyway, Awesome representation Buddy!!
@@futurebuddies5335 Thanks Buddy!
Did he just say "Lin-Axe"?
The first English word that Indians learn is "particular". Then they use it 3 times in every sentence. Even if the sentence has 5 words.
Lol.