Thursday, December 21, 2017

Quick guide to dumping memory and creating a volatility profile

This will just be a quick guide on how to dump memory from a Linux server and create a volatility profile for it. 


Manual method

Creating the kernel module with LiME

Ideally you want to log onto a copy of the victim machine. You want to make sure it is the same distro and kernel version as the victim. This is because then you don't have to stop over potentially deleted files on the disk. 
  1. sudo apt-get install build-essential
  2. git clone https://github.com/504ensicsLabs/LiME
  3. cd LiME/src/
  4. make
  5. scp the .ko file off this machine 
  6. Copy the .ko file to the actual victim machine
  7. Execute insmod lime_module.ko "path=/tmp/images/ram.lime format=lime"

Creating Volatility profile

Same comment as above, you want to run these commands on a server which is an identical copy of the victim. 

  1. sudo apt install zip unzip dwarfdump build-essential
  2. wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
  3. unzip volatility-2.6.zip
  4. cd volatility-master/tools/linux/
  5. make
  6. sudo zip linux_`uname -r`.zip module.dwarf /boot/System*`uname -r`
  7. scp the zipped file off 
  8. Copy the file to volatility-master/volatility/plugins/overlays/linux/ on your analysis machine

Remote capture with Margarita shotgun:

I recently compared two tools for remote capture, LiMEaide (https://github.com/kd8bny/LiMEaide) and Margarita shotgun (https://github.com/ThreatResponse/margaritashotgun). I would recommend you use Margarita shotgun and not LiMEaide, as LiMeaide stomps all over the disk drive which could overwrite data in unallocated sectors which have been recently cleared up after file deletion. 

How to use Margarita Shotgun on analyst machine:
  1. Install with pip install margaritashotgun
  2. Run margaritashotgun --server [server IP] --username [username] --key [key.pem] --module [lime-module].ko --filename memory_dump.lime
The victim machine simply needs insmod available. 



No comments:

Post a Comment