Use of the memory forensics tool Volatility in Linux

#01 Overview

Volatility is an open-source memory forensics analysis tool for Windows, Linux, MaC, and Android. It is written in python and operated by command lines. It supports various operating systems.
Project address:
Https://code.google.com/p/volatility/
This document only describes how to use it. For details, see CheatSheet. For details about Linux commands on the official website, refer:

Bytes

Processeslinux_pslistlinux_psauxlinux_pstreelinux_pslist_cachelinux_pidhashtablelinux_psxviewlinux_lsofProcess Memorylinux_memmaplinux_proc_mapslinux_dump_maplinux_bashKernel Memory and Objectslinux_lsmodlinux_moddumplinux_tmpfsRootkit Detectionlinux_check_afinfolinux_check_ttylinux_keyboard_notifierlinux_check_credslinux_check_foplinux_check_idtlinux_check_syscalllinux_check_moduleslinux_check_credsNetworkinglinux_arplinux_ifconfiglinux_route_cachelinux_netstatlinux_pkt_queueslinux_sk_buff_cacheSystem Informationlinux_cpuinfolinux_dmesglinux_iomemlinux_slabinfolinux_mountlinux_mount_cachelinux_dentry_cachelinux_find_filelinux_vma_cacheMiscellaneouslinux_volshelllinux_yarascan

#02 Installation
Source code installation method:
Apt-get install subversion-tools
Svn checkout http://volatility.googlecode.com/svn/trunk//usr/local/src/volatility/
Refer:
Https://code.google.com/p/volatility/wiki/VolatilityInstallation

Back Track and Kali Linux comes with this program.
Taking Kali-Linux as an example, volatility is included in "application"-"Kali Linux"-"digital forensics"-"memory forensics toolset.

#03 basic commands

./vol.py ‐f [image] ­‐profile=[profile] [plugin]

It should be a Bug.-f must be followed by the absolute path (Kali ).

View scan check, plug-in, address space, and other information

./vol.py --info

View help information

./vol.py -h/--help

View the description of a specified plug-in

./vol.py [plugin] --help

Load plug-ins from extended Directories

./vol.py --plugins=[path][plugin]

Check result output

./vol.py --output-file=[file]

#04 create a Linux system Profile
Volatility comes with some windows system profiles, which must be prepared by yourself. The method is as follows:
(The module. dwarf and system. map are packaged into a zip file, and then moved to volatility/plugins/overlays/linux .)
The Linux Profile file is a zip package.
Preparation

Https://code.google.com/p/volatility/wiki/LinuxMemoryForensics

$ sudo zip volatility/volatility/plugins/overlays/linux/Ubuntu1204.zip volatility/tools/linux/module.dwarf /boot/System.map-3.2.0-23-generic

1. You can also download the profiles you have already done at https://github.com/kdpryor/linuxvolprofiles.
   Place at/usr/share/volatility/plugins/overlays/Under kali/

    

   If you know that the dump memory is of the operating system and operating system version, you can directly set the profile. If you do not know the system memory, you can use the imageinfo option, volatility will try to automatically determine the memory type

   vol -f /root/Downloads/pexit.vmem imageinfo

   #05 obtain the memory image
   Refer

   http://www.forensicswiki.org/wiki/Tools%3aMemory_Imaging#LinuxDd$ sudo dd if=/dev/mem of=/tmp/mem_dump.dd bs=1MB count=1010+0 records in10+0 records out10000000 bytes (10 MB) copied, 0.0331212 s, 302 MB/s

   #06 example
   Check memory process

   -Understand common Linux system processes;

   -View the automatic task process;

   -If the system has not been restarted but some processes are started, check the running time of the processes;

   The Creation Time of process numbers 1517, 27157, and 7334 is obviously different from that of other processes.

   Check process details

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_psaux

   The 1517 process is located in/usr/bin/httpd. In addition, the 27157 process parameter is-B-c. You can find the rsyslogd help file and find that rsyslogd does not have the-B parameter.
   You can use the linux_pidhashtable parameter to find hidden processes.

   We can see that four rsyslogd processes are created at the same time as the 27157 process.
   Use linux_netstat to view network connections.

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_netstat

   Abnormal link address: 210.177.175.82
   You can view the route table by using the linux_route_cache parameter.

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_route_cache

   Run the linux_lsof command to view files related to processes 1517 and 27157.

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_lsof

    

   Note the "/tmp/. ICE-unix/-log/" File
   You can use the linux_proc_maps parameter to view the details of a process, including the shared library, start location, and end location.

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_proc_maps | grep 1517

   View the location of a Suspicious File

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_find_file -F "/tmp/.ICE-unix/-log/httpds"

   vol -f /root/Downloads/pexit.vmem --profile=LinuxUbuntu1004_pae32-33x86 linux_find_file -i 0xf5a4e568 -O /root/dump

   strings /root/dump

   Refer:

   http://sempersecurus.blogspot.com/2013/12/a-forensic-overview-of-linux-perlbot.htmlhttps://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_pidhashtable