Volatility is a powerful tool used for analyzing memory dumps on Linux, Mac, and Windows systems. On Linux and Mac systems, one has to build profiles separately, and notably, they must match the memory system profile (building a Ubuntu 18.04.3 profile to analyze a Ubuntu 18.04.4 system will not work). This article will go over all the dependencies that need to be downloaded as well as how to build a profile.
Note that information is taken from Volatility's Github. Many Volatility plugins will not work with the following packages.
Run the following:
$ sudo apt-get install git subversion pcregrep libpcre++-dev python-dev -y
$ sudo apt-get install build-essential -y
$ sudo apt-get install dwarfdump -y
Do not use pip install distorm3
. It will not build correctly. Instead, download the source tar from here. After unzipping it, cd into the distorm3/ and run:
$ python setup.py build
$ sudo python setup.py build install
Do not use pip install yara-python
. I made this mistake, and Volatility was not able to detect Yara. Make sure to go to the main website, and download the source tar. Run:
$ tar -zxf yara-4.0.1.tar.gz
$ cd yara-4.0.1
$ ./bootstrap.sh
Install some dependencies:
$ sudo apt-get install automake libtool make gcc pkg-config
Continue:
$ ./configure
$ make
$ sudo make install
Check to see if it installed properly:
$ make check
Download the latest source from here
$ tar -zxvf pycrypto-2.6.1.tar.gz
$ python setup.py build
$ sudo python setup.py build install
Finally, clone from Volatility's Github repo and install:
$ git clone https://github.com/volatilityfoundation/volatility.git
$ cd volatility
$ sudo python setup.py build install
Create module.dwarf:
$ cd volatility/tools/linux
$ make
Make a zip containing module.dwarf and the exact profile of your Linux distro:
$ cd ../../../
$ sudo zip $(lsb_release -i -s)_$(uname -r)_profile.zip ./volatility/tools/linux/module.dwarf /boot/System.map-$(uname -r)
Copy the zip file into the Volatility plugin path:
$ cp *name*.zip ./volatility/volatility/plugins/overlays/linux
Test if installation is complete and profile is configured:
$ cd volatility
$ python vol.py --info | grep $(lsb_release -i -s)
LiME is a memory acquisition tool made specifically for Linux devices.
$ sudo apt install linux-headers-4.9.0-8-amd64
$ sudo apt install build-essential
Install the latest version:
$ git clone https://github.com/504ensicsLabs/LiME
Compile:
$ cd LiME/src/
$ make
A file named lime-5.3.0-62-generic.ko
is created.
Use insmod to load the compiled LKM. Also, format=lime
and timeout=0
are imp
ortant for analysis via Volatility.
$ sudo insmod lime-5.3.0-62-generic.ko "path=/home/dump1.mem format=lime timeout=0"