In order to test some of our memory forensics capabilities, we infected a Linux Ubuntu with a rootkit that can be found here - https://github.com/f0rb1dd3n/Reptile
In this post we will demonstrate the memory acquisition process, and in the next post we will write about the process of detecting malicious artifacts.
There are several tools that can be used to get a memory dump in Linux, but there is one tool that we use most of the time - LiME.
On a building machine:
These steps should be performed on a system with the same kernel as the target system (preferably not on the target system itself, so it won’t make noise):
Download the tool LiME from github
sudo wget https://github.com/504ensicsLabs/LiME/archive/v1.9.tar.gz
sudo tar xvfz v1.9.tar.gz
Go to the source directory
Build the module
The result should be a file named lime-<the kernel version>.ko (for example: lime-3.13.0-53-generic.ko)
On the target machine:
- Get the module for the target machine (wget, curl, scp, cp or any other way)
- Take the memory dump by loading it to the kernel
sudo insmod lime-$(uname -r).ko "path=/tmp/mem.lime format=lime"
Copy it from the path in the previous command line to another machine (using scp/winscp or copy to external HD or any other option)
For further analysis with volatility, you will need to supply a working profile.
If you’re lucky there is an existing profile for your system, otherwise you are going to need to build it by yourself.
Build a profile:
Profiles must match the exact OS type (CentOS, OpenSuSE, Ubuntu, …). architecture (x86, x64, ARM, …) and OS Version (uname -r), so you need to build it on such a system (as you would do with LiME).
On the building host:
sudo git clone https://github.com/volatilityfoundation/volatility
sudo apt install dwarfdump
Go to linux tools directory
- Build the profile
sudo make -C /lib/modules/$(uname -r)/build/ CONFIG_DEBUG_INFO=y M=$PWD modules
dwarfdump -di ./module.o > ~/dwarf
sudo zip Ubuntu-$(uname -r).zip module.dwarf /boot/System.map-$(uname -r)
On your investigation machine:
- Copy the zip you created in the last step from the building host to your machine
Assuming you have volatility installed there (if not, then install), copy that zip to the profiles location
sudo cp Ubuntu-*.zip volatility/volatility/plugins/overlays/linux/
- Check that you can see the new profile with volatility
python vol.py --info | grep Linux
Run a plugin to make sure that everything is working
python vol.py -f <path to the mem dump> --profile=<profile name> linux_mount
If it doesn’t work, it will probably print the following error: “No suitable address space mapping found”. In this case, something went wrong and it is recommended to follow your steps and try again. There is also a chance that the memory dump itself came corrupted or something, so if all the steps were correct and worked as expected you can try to use a different acquisition tool.
In the next post, we will write about the detection of malicious artifacts, stay tuned!