Incident Response Tips

Linux Memory Forensics Part 1 - Learn about memory dump tools

Author: Daniel Lubel, Senior Purple Team Researcher

 

In order to test some of our memory forensics capabilities, we infected a Linux Ubuntu with a rootkit that can be found here - https://github.com/f0rb1dd3n/Reptile

In this post we will demonstrate the memory acquisition process, and in the next post we will write about the process of detecting malicious artifacts.

There are several tools that can be used to get a memory dump in Linux, but there is one tool that we use most of the time - LiME.

On a building machine:

These steps should be performed on a system with the same kernel as the target system (preferably not on the target system itself, so it won’t make noise):

  1. Download the tool LiME from github

    sudo wget https://github.com/504ensicsLabs/LiME/archive/v1.9.tar.gz

  2. Unpack it

    sudo tar xvfz v1.9.tar.gz

  3. Go to the source directory

    cd LiME-1.9/src

  4. Build the module

    sudo make

The result should be a file named lime-<the kernel version>.ko (for example: lime-3.13.0-53-generic.ko)

On the target machine:

  1. Get the module for the target machine (wget, curl, scp, cp or any other way)
  2. Take the memory dump by loading it to the kernel

    sudo insmod lime-$(uname -r).ko "path=/tmp/mem.lime format=lime"

  3. Copy it from the path in the previous command line to another machine (using scp/winscp or copy to external HD or any other option)

For further analysis with volatility, you will need to supply a working profile.

If you’re lucky there is an existing profile for your system, otherwise you are going to need to build it by yourself.

Build a profile:

Profiles must match the exact OS type (CentOS, OpenSuSE, Ubuntu, …). architecture (x86, x64, ARM, …) and OS Version (uname -r), so you need to build it on such a system (as you would do with LiME).

On the building host:

  1. Install volatility

    sudo git clone https://github.com/volatilityfoundation/volatility

  2. Install dwarfdump

    sudo apt install dwarfdump

  3. Go to linux tools directory

    cd volatility/tools/linux/

  4. Build the profile  
    sudo make -C /lib/modules/$(uname -r)/build/ CONFIG_DEBUG_INFO=y M=$PWD modules

    dwarfdump -di ./module.o > ~/dwarf

    cd ~/Desktop

    sudo zip Ubuntu-$(uname -r).zip module.dwarf /boot/System.map-$(uname -r)

On your investigation machine:

  1. Copy the zip you created in the last step from the building host to your machine

  2. Assuming you have volatility installed there (if not, then install), copy that zip to the profiles location

    sudo cp Ubuntu-*.zip volatility/volatility/plugins/overlays/linux/
  3. Check that you can see the new profile with volatility
    python vol.py --info | grep Linux

  4. Run a plugin to make sure that everything is working

    python vol.py -f <path to the mem dump> --profile=<profile name> linux_mount

If it doesn’t work, it will probably print the following error: “No suitable address space mapping found”. In this case, something went wrong and it is recommended to follow your steps and try again. There is also a chance that the memory dump itself came corrupted or something, so if all the steps were correct and worked as expected you can try to use a different acquisition tool.

In the next post, we will write about the detection of malicious artifacts, stay tuned!

 

<< BACK TO RESOURCES