Live Memory acquisition for Linux flavors — DFIR

Unlike memory analysis on windows evidence machine being so easy, matching volatility profile with operating system version, is not the same case with Linux flavors. Reason is, investigator needs to match the volatile dump with same kernel profile as the Linux evidence machine was running upon.

With that being said, this blog is all about how investigator can perform Linux memory acquisition with proper kernel object compiled volatility profile. Below is the quick summary on what I’m going to detail further.

Overview:

1. Find kernel version of Linux evidence machine.
2. Download and install dependencies.
3. Download Lime to dump memory file.
4. Download and install volatility to create linux profile for evidence machine.
5. Check volatility tool with dumped memory file matching with respective profile.

Note: For demo purpose, I performed above activities on same machine. While you may deal with real investigation, i would recommend to perform the same procedures on “working copy” of the evidence rather than “master copy” of the dumped evidence image.

So let’s move forward,

1. Find kernel version of Linux evidence machine:

kernel version: 4.4.0–142-generic

With the command “uname -a” would reveal on which kernel version(highlighted in yellow) your evidence machine was running upon. And we have ubuntu 14.04 version of linux to investigate.

2. Download and install dependencies:

Before we proceed collecting memory dump, let’s make sure everything is up to date and necessary dependencies to proceed further.

sudo apt-get update
sudo apt-get install build-essential
sudo apt-get install linux-headers-`uname -r`
sudo apt-get install dwarfdump
sudo apt-get install git zip

3. Download Lime to dump memory file:

Now, we’re downloading LiME and creating kernel object for memory dump.

git clone https://github.com/504ensicsLabs/LiME
cd LiME/src/
make

kernel object created “lime-4.4.0–142-generic.ko”

Next, we have kernel object created for to dump memory. we use insert module command (insmod) to perform that action.

sudo insmod lime-4.4.0–142-generic.ko “path=/tmp/volevidence.mem format=lime"

successfully memory dumped.

4. Download and install volatility to create Linux profile.

We are going to install volatility to create same version kernel profile to investigate dumped memory.

git clone https://github.com/volatilityfoundation/volatility
cd volatility/tools/linux/
sudo make -C /lib/modules/$(uname -r)/build CONFIG_DEBUG_INFO=y M=$PWD modules
sudo dwarfdump -di ./module.o > module.dwarf

Successfully dwarf file created.

we have dwarf file now. To create volatility linux profile, we need to merge this dwarf file with systemmap and zip it. you can find system map file under /boot.

/boot/system.map-4.4.0–142-generic

In case if you have more than one system map, you can match with the kernel version that machine is working upon.

Now, we simply has to zip both the files and place it under volatility.

dwarf and system map has been zipped together.

Move the zip file to volatility Linux folder,

moving the zip file under volatility

We can confirm the same by running vol.py,

kernel 4.4.0.142 is listed and ready for mapping the evidence to examine.

5. Check volatility tool with evidence kernel profile:

Now we all set to jump in and investigate the linux volatile memory data. Below is just sample of how it works.

sudo python vol.py -f /tmp/volevidence.mem — profile=Linuxubuntu_14_04_kernel_4_4_0_142x64 linux_ifconfig

Other useful memory plugins for linux memory analysis,

linux_arp — Print the ARP table
linux_aslr_shift — Automatically detect the Linux ASLR shift
linux_banner — Prints the Linux banner information
linux_bash — Recover bash history from bash process memory
linux_bash_env — Recover a process’ dynamic environment variables
linux_bash_hash — Recover bash hash table from bash process memory
linux_check_fop — Check file operation structures for rootkit modifications
linux_check_idt — Checks if the IDT has been altered
linux_check_modules — Compares module list to sysfs info, if available
linux_check_tty — Checks tty devices for hooks
linux_cpuinfo — Prints info about each active processor
linux_dmesg — Gather dmesg buffer
linux_dump_map — Writes selected memory mappings to disk
linux_dynamic_env — Recover a process’ dynamic environment variables
linux_elfs — Find ELF binaries in process mappings
linux_enumerate_files — Lists files referenced by the filesystem cache
linux_find_file — Lists and recovers files from memory
linux_getcwd — Lists current working directory of each process
linux_hidden_modules — Carves memory to find hidden kernel modules
linux_ifconfig — Gathers active interfaces
linux_info_regs — It’s like ‘info registers’ in GDB. It prints out all the
linux_iomem — Provides output similar to /proc/iomem
linux_kaslr_shift — Automatically detect KASLR physical/virtual shifts and alternate DTBs
linux_kernel_opened_files — Lists files that are opened from within the kernel
linux_keyboard_notifiers — Parses the keyboard notifier call chain
linux_ldrmodules — Compares the output of proc maps with the list of libraries from libdl
linux_library_list — Lists libraries loaded into a process
linux_librarydump — Dumps shared libraries in process memory to disk
linux_list_raw — List applications with promiscuous sockets
linux_lsmod — Gather loaded kernel modules
linux_lsof — Lists file descriptors and their path
linux_malfind — Looks for suspicious process mappings
linux_memmap — Dumps the memory map for linux tasks
linux_moddump — Extract loaded kernel modules
linux_mount — Gather mounted fs/devices
linux_netfilter — Lists Netfilter hooks
linux_netscan — Carves for network connection structures
linux_netstat — Lists open sockets
linux_pidhashtable — Enumerates processes through the PID hash table
linux_pkt_queues — Writes per-process packet queues out to disk
linux_plthook — Scan ELF binaries’ PLT for hooks to non-NEEDED images
linux_proc_maps — Gathers process memory maps
linux_proc_maps_rb — Gathers process maps for linux through the mappings red-black tree
linux_procdump — Dumps a process’s executable image to disk
linux_process_hollow — Checks for signs of process hollowing
linux_psaux — Gathers processes along with full command line and start time
linux_psenv — Gathers processes along with their static environment variables
linux_pslist — Gather active tasks by walking the task_struct->task list
linux_psscan — Scan physical memory for processes
linux_pstree — Shows the parent/child relationship between processes
linux_strings — Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads — Prints threads of processes
linux_tmpfs — Recovers tmpfs filesystems from memory
linux_volshell — Shell in the memory image

I hope this would be informative and in my next blog i would discuss about how easy the memory acquisition for windows evidence and with sample investigation with malware infected machine.

Thanks again for your time and i welcome your valuable feedback or questions.