skip to Main Content

Creating Volatility Linux Profiles (Debian/Ubuntu)

Debian/Ubuntu:

1.) Install OS in your VM (e.g. ubuntu-13.10-desktop-amd.iso)

2.) Fingerprint OS and kernel

$ uname --help
Usage: uname [OPTION]...
Print certain system information.  With no OPTION, same as -s.

  -a, --all                print all information, in the following order,
                             except omit -p and -i if unknown:
  -s, --kernel-name        print the kernel name
  -n, --nodename           print the network node hostname
  -r, --kernel-release     print the kernel release
  -v, --kernel-version     print the kernel version
  -m, --machine            print the machine hardware name
  -p, --processor          print the processor type or "unknown"
  -i, --hardware-platform  print the hardware platform or "unknown"
  -o, --operating-system   print the operating system
      --help     display this help and exit
      --version  output version information and exit

$ uname -a
$ uname -mrs

3.) Install Subversion in your VM and download Volatility

$ sudo apt-get install -y subversion-tools
$ sudo svn checkout http://volatility.googlecode.com/svn/trunk/ volatility

Installing Volatility

4.) Installing dwarfdump

$ sudo apt-get install dwarfdump

5.) Creating the kernel data structures file using dwarfdump
a) Creating vtypes

$ sudo chown -R evild3ad /home/evild3ad/volatility/tools/linux/
$ cd /home/evild3ad/volatility/tools/linux/
$ make
$ ls -l
--> module.dwarf is created

Creating vtypes
module.dwarf is created

b) Getting symbols

$ cd
$ cd ..
$ cd ..
$ cd boot
$ ls -l
--> Look for System.map-* and your current kernel release (e.g. System.map-3.11.0-17-generic)

System.map-*

c) Making the profile

$ cd
$ sudo zip volatility/volatility/plugins/overlays/linux/ubuntu-13.10-desktop-amd64_3.11.0-17-generic.zip volatility/tools/linux/module.dwarf /boot/System.map-3.11.0-17-generic

Making the profile

Downloads:
Ubuntu-13.10-desktop-i386_3.11.0-17-generic.zip
Ubuntu-13.10-desktop-amd64_3.11.0-17-generic.zip

Links:
Linux Memory Forensics
Volatility Linux Profiles
Volatility Linux Profiles by Ken Pryor
Volatility Linux Profiles by F-INSIGHT
Second Look | Linux Memory Images

Back To Top