Linux Memory Analysis: How to Start and What You Need to Know

Are you ready to dive into the exciting world of memory analysis?!? No? Well that’s too bad because you need to know it. There’s an old saying in InfoSec, “The packet doesn’t lie.” Well the same is true for memory analysis. It simply is what it is and because of that, can provide a wealth of information concerning a systems state. In some ways it’s similar in nature to our previous “Threat Hunting with Bro IDS” article.

This will probably be a multi part series. With this first post covering the basics of capturing memory images in Linux using LiME and testing with Volatility. Which is a great start for memory analysis. And another article digging much deeper into using my favorite memory analyzer Volatility.

Working with memory dumps in Linux is rather different than when dealing with Windows. But don’t worry little Padawan, it’s almost certainly worth it. Ok so before we begin.

Here’s what will happen at a high level:

1) We’ll first make sure our Ubuntu 16.04 Server box is completely upgraded.
2) Next we will install the proper dependancies for both LiME and Volatility.
3) We’ll install and configure LiME.
4) Then we’ll install and configure Volatility.
5) Finally we’ll create a test memory dump for the memory analysis. And use it to test that Volatility is working.

And here we go.

First make sure we’re starting off in our home directory. In my case it’s
/home/i3carebears

System Update and Dependancies

Now let’s start the installation. We’ll start by making sure our system is up to date. Then that all of the dependancies needed have been installed.

sudo apt-get update
sudo apt-get upgrade 
sudo apt-get install build-essential 
sudo apt-get install linux-headers-`uname -r` 
sudo apt-get install git python dwarfdump zip python-distorm3 python-crypto

Installing LiME for Linux Memory Analysis

Next let’s get LiME installed and configured.

git clone https://github.com/504ensicsLabs/LiME
cd LiME/src/
make

We’re interested in the last line of the “make” output which shows us the kernel we need to use. In my case it’s lime-4.4.0-89-generic.ko. And now we can load our kernel module.

sudo insmod lime-4.4.0-89-generic.ko "path=/tmp/test.mem format=lime”

The above command has loaded LiME and created our test snapshot of the systems memory that we’ll use for the forensic test analysis and placed it in the /tmp directory with the name “test.mem”. The “format=lime” is the default LiME format that we’ll save the memory image in. Volatility can easily recognize the lime format so this works out best. See, linux memory analysis isn’t as tough as you thought!

Installing Volatility

Now we need to create our Linux profile so that we can tell Volatility exactly what system/kernel we’re on. We begin by installing Volatility.

cd ../../
git clone https://github.com/volatilityfoundation/volatility
cd volatility/tools/linux/
make clean
make

Out next step is to locate our system map which tells Volatility how are memory analysis snapshot is structured. In Ubuntu this can typically be found in /boot/ so,

ls -al /boot/

Creating Volatility Profile

We’ll be using the System.map-4.4.0-89-generic file as it matches our lime-4.4.0-89-generic.ko file. We saw this when we first installed LiME. Now we’re going zip up both the module.dwarf file made by Volatility and our System map which results in creating the profile we need for Volatility to work properly. This step is vital for our memory analysis to not have issues.

cd ../../
sudo zip volatility/plugins/overlays/linux/Ubuntu160403-040400-89.zip tools/linux/module.dwarf /boot/System.map-4.4.0-89-generic

Running Volatility

Now we’ll check to see that Volatility has everything it needs to run properly.

python vol.py --info | grep Linux

As we can see Volatility now has the proper profile to use. In my case it’s called LinuxUbuntu160403-040400-89×64.

Let’s look and see what kind of plugins we can have Volatility run on our Linux memory snapshot. To do this we’ll run the following command.

python ./vol.py --info | grep -i linux_

Now let’s pick an interesting plugin and run it against our saved memory snapshot located in /tmp. The linux_bash is pretty interesting because it should show us the Bash commands that were ran prior to taking our snapshot.

sudo python vol.py -f /tmp/test.mem --profile=LinuxUbuntu160403-040400-89x64 linux_bash

You’ll notice that in this case we needed to run the command as “sudo”. As a result of us creating the memory snapshot /tmp/test.mem we ran “insmod” under “sudo” but you could simply change the test.mem file permissions if you wanted to.

Sending Memory Dumps over Network

Although we won’t get into it in this article, I wanted to let you know that you can also send the memory snapshots over the network if you wanted to another box. There are a lot of options with this but a simple example would look like this.

sudo insmod lime-4.4.0-89-generic.ko "path=tcp:7777 format=lime"
nc localhost 7777 > ram.lime

Finally, this has just a small taste into the wonders of Linux Memory Analysis. In another article we’ll start to deep dive into Memory Forensics using Volatility so make sure to follow me on Twitter at https://twitter.com/jamesbower to know when that comes out.