 Welcome back everyone. Today, we're going to talk about Linux memory analysis using volatility and specifically about building Linux profiles for volatility. This process, it's not very difficult, but if you don't do it, then you might have trouble, you're very likely to have trouble using volatility to analyze a Linux memory dump. So the first thing I'm going to do is actually collect a dump of memory from my own system running Ubuntu Linux. And I'm using LIME to acquire a memory image. So LIME, I need to first build LIME. So whenever you look into the LIME folder, you should see something like this. And basically what this does is LIME is a kernel object that we load into a Linux system and download, gets access to memory, we can download memory using LIME. So the first thing we have to do is actually make it or build it for the suspect system. So the issue with LIME or the difficulty with LIME and especially on Linux systems is that you have to build for the exact system that you're going to use it on. So if the suspect system is a Ubuntu desktop using a very old kernel version and you want to use LIME, you have to build LIME for that specific kernel version. So you need to do a little bit of research on the suspect device, what kernel is it running, and you have to compile specifically for that. I'm just going to compile for my system directly, which is using the 4.4053 generic kernel right now. So if you're compiling on the suspect system or on the device that you're looking at, it's much easier to compile, but obviously it's going to make a lot of changes to the system, especially to RAM. And since we are wanting to acquire memory in this case, we don't want to make those changes to memory. Okay, so now that I have the kernel object, I can see this .co, I have the kernel object, and if I load that into the system, then I should download the device. So whenever I need to run this command to load it, sudo insmod or insert mod, and then the LIME kernel object, the full, in this case, the full name. And then I have to give it the command path. And this is the path where I want to save it to it. So I'm going to save it to a different disk. And I'm going to name it linux.mim, okay. And then next I wanted to give the format equals LIME. And I had issues earlier, let me see if I can bring that up. I had issues earlier. Whenever I was trying to use volatility to analyze a raw memory image from my system, I kept getting this no suitable address space mapping found error. But whenever it's a LIME formatted image, I don't get, let's say, as many errors. I don't get that specific error. So in this case, I'm going to collect it with LIME, or as the format LIME, because I know that volatility can use LIME. So while that's acquiring, I will skip ahead. Okay, so now that that's finished, I have my memory image in Media Joshua Storage testlinux.mim. So the next I'm going to go into where I have volatility downloaded. So I have the volatility get repository basically downloaded. And what I need to do is go into tools and Linux, we're going to build a Linux profile based on my system. So tools, Linux and then do LS. And I want to make clean because I've already added in there. So make clean. And then you should basically have a make file. So what you need to do is download or install. If you're on Ubuntu, you can do pseudo apt install dwarf dump dwarf dump, or the, what was it, apt lib dwarf tools. So basically, you can either download dwarf dump or lib dwarf tools. I already have dwarf dump installed pseudo apt install dwarf dump. Okay, it's already the newest version. Okay, that looks good. And then the next thing we need to make sure we have I'm sure you already have it if you've ever if you've ever worked on this before but we need to install build essential in Ubuntu so pseudo apt install build essential. And this is basically compiling tools tools to be able to compile software. And then we might also need to get Linux headers. So for in Ubuntu, we can do pseudo apt install Linux headers generic, or whatever, whatever headers we actually have. So this actually downloaded 40077. But I'm pretty sure we don't need headers in this case. Okay. So once we have that, then we want to just run make. Notice it's building for 44053 generic. Okay, that looks good. And then we have this module dot dwarf should be created. Okay, once the module dwarf is created, then we want to run. We need to check and see if we have So we need this system map for the kernel version that we have so system map 44053 generic in this case because this particular computer is running that particular kernel version. So once we know where the system map is, which is usually in slash if you do ls slash boot, you should see all of the available kernels and we're specifically looking for the system map, then run pseudo zip. And then we want, let's say volatility. Where am I at? Oh, sorry. Instead of being inside the tools Linux folder, go up to two, two directories, two folders, and then do pseudo zip volatility plugins, overlays, Linux. And then we want to save it as a bun to a bun to and this is 14 04. And I'm going to call it 440 dot zip. Okay, so a bun to 14 04 440 dot zip. The reason I call it 440 is because that's the particular kernel version. And there's already a bun to 14 04 available. But I think it's for a the kernel version three. So I'm going to call it 440 just to kind of differentiate and make sure that I know the difference between the different plugins we're essentially creating the plug in right now, then do tools Linux module dot dwarf. And that's our door file that we created. And then we want to add boot system system map for our particular kernel. Okay, if you do that, then we get adding tools Linux module dwarf and adding adding boot system map 440 53. So now we have a module volatility module created specifically for a bun to Linux kernel version 440 dash 53 generic. Okay, now will this work on other Linux platforms, probably not right and you have to make it specifically for the kernel version of the suspect system that we're analyzing. Okay, then the next thing I want to do is Python, make sure it's actually installed so Python dot pi dash dash info, and then I want to grep grep for Linux with a capital L. So here I have Python, vol dot pi this is running volatility and I'm getting the info out the information for Python for volatility, and then grep is just a search like a keyword search, just show me everything that contains the word Linux. Okay, so if I hit enter. Then we see this Linux Linux Ubuntu one is one that I created before. And then we have the one that we just created Linux Ubuntu 14 04 440 x 64. And this is the one that we just created. So this is now our profile name Linux Ubuntu 14 04 dash 440 x 64. Okay, so I'm going to copy that. And then what we need to do now is figure out some commands that this version of volatility includes. So I'm going to do Python, vol dot pi dash dash info, and then grep for grep dash I and Linux with a capital L, or lowercase l and then underscore. So what this does is again, looking at the information for for volatility as as whatever plugins or profiles are available show them to me. And then I'm using grep to search in a not not case sensitive way for anything called Linux underscore. And what that should show me is all of the different commands that are the plugins that are available for Linux. And we have a lot of them in here. So you can go through and check whatever you want to check, I'm going to run PS scan, because that usually works right So some of these will not work, just because volatility does not have the correct parser for our the version of our kernel, even though we basically say, you know, what the what the data structures are in memory by creating our profile. That doesn't mean that all of the parsers that have been written actually work for our version of the kernel. Okay, so just because we've created a profile doesn't mean that all of these things will work but PS scan usually does work. So I'm going to now run Python vol dot pi. And then the file is media Joshua storage test Linux dot mim. And this is our lime formatted memory image from this Linux system. And then the profile prof dash dash profile equals and then paste our new profile that we created. And then I want to run Linux PS scan, Linux PS scan. Okay, and there we go. We're getting the basically a process list. So all of the processes processes that are working running in the system and then their process ID. So this is actually parsing out or we're scanning through. Now, let's go up. If I look again. So the thing about this is whenever I create plugins or profiles for the newest kernel versions, then a lot of things don't work or I can't get them to work. So it really depends on, let's let's just try CPU info, for example, I kind of doubt it's going to work. CPU info. Okay, so running CPU info against it. And, okay, so it actually did find the CPUs at least but it didn't see if it saw how many we have, but it didn't see like vendor or model, right. So what that most likely means is that for version 4.40 of the Linux kernel, most of these parsers need to be updated and told what's going on. If we look at the volatility website, we can see that the newest version of Linux kernels that it supports is 32 and 64 bit Linux kernels up to 423. So that means that up to 423, these plugins likely work pretty well. But we just created a profile for 4.4, so now we have to go through and potentially manually update a lot of these profiles.