Manual method
Creating the kernel module with LiME
Ideally you want to log onto a copy of the victim machine. You want to make sure it is the same distro and kernel version as the victim. This is because then you don't have to stop over potentially deleted files on the disk.- sudo apt-get install build-essential
- git clone https://github.com/504ensicsLabs/LiME
- cd LiME/src/
- make
- scp the .ko file off this machine
- Copy the .ko file to the actual victim machine
- Execute insmod lime_module.ko "path=/tmp/images/ram.lime format=lime"
Creating Volatility profile
Same comment as above, you want to run these commands on a server which is an identical copy of the victim.
- sudo apt install zip unzip dwarfdump build-essential
- wget http://downloads.volatilityfoundation.org/releases/2.6/volatility-2.6.zip
- unzip volatility-2.6.zip
- cd volatility-master/tools/linux/
- make
- sudo zip linux_`uname -r`.zip module.dwarf /boot/System*`uname -r`
- scp the zipped file off
- Copy the file to volatility-master/volatility/plugins/overlays/linux/ on your analysis machine
Remote capture with Margarita shotgun:
I recently compared two tools for remote capture, LiMEaide (https://github.com/kd8bny/LiMEaide) and Margarita shotgun (https://github.com/ThreatResponse/margaritashotgun). I would recommend you use Margarita shotgun and not LiMEaide, as LiMeaide stomps all over the disk drive which could overwrite data in unallocated sectors which have been recently cleared up after file deletion.
How to use Margarita Shotgun on analyst machine:
- Install with pip install margaritashotgun
- Run margaritashotgun --server [server IP] --username [username] --key [key.pem] --module [lime-module].ko --filename memory_dump.lime
The victim machine simply needs insmod available.
No comments:
Post a Comment