skip to Main Content

Creating Volatility Linux Profiles (openSUSE)

1.) Install OS in your VM (e.g. openSUSE-13.1-DVD-x86_64.iso)

openSUSE-13.1

2.) Fingerprint OS and kernel

$ uname -a

3.) Install Subversion in your VM and download Volatility

$ sudo zypper install subversion
$ sudo svn checkout http://volatility.googlecode.com/svn/trunk/ volatility

4.) Installing libdwarf-tools

$ sudo zypper install libdwarf-tools

Installing libdwarf-tools

5.) Creating the kernel data structures file using libdwarf-tools

Software Manager - YaST

a) Install the following packages via YaST:
make
gcc
kernel-devel

kernel-devel

b) Creating vtypes

$ sudo chown -R evild3ad /home/evild3ad/volatility/tools/linux/
$ cd /home/evild3ad/volatility/tools/linux/
$ make
$ ls -l
--> module.dwarf is created

b) Getting symbols

$ cd
$ cd ..
$ cd ..
$ cd boot
$ ls -l
--> Look for System.map-* and your current kernel release (e.g. System.map-3.11.10-7-desktop)

c) Making the profile

$ cd
$ sudo zip volatility/volatility/plugins/overlays/linux/openSUSE-13.1-x86_64_3.11.10-7-desktop.zip volatility/tools/linux/module.dwarf /boot/System.map-3.11.10-7-desktop

Making the profile

Downloads:
OpenSUSE-13.1-i586_3.11.10-7-desktop.zip
OpenSUSE-13.1-x86_64_3.11.10-7-desktop.zip

Links:
Linux Memory Forensics
Volatility Linux Profiles
Volatility Linux Profiles by Ken Pryor
Volatility Linux Profiles by F-INSIGHT
Second Look | Linux Memory Images

Back To Top