Articles

Profile

Volatility uses an operating system (OS) based profile to obtain memory information. Volatility 3 will automatically recognize the OS based on symbol table of the OS. For Volatility 2, the profile must be specified on the command line.

Volatility3

To get more symbol table of OS, insert them in volatility3/volatility/symbols via link above :

Volatility2

Get profile name

  • Windows

python2 vol.py -f memory.dmp imageinfo

  • Mac

python2 vol.py -f memory.dmp mac_get_profile

  • Linux

strings memory.dmp | grep -E "Linux version [0-9]"
cat memory.dmp | grep -iB 1 "Codename:" | tail -n+10

Available / Downloadable profile

To see available profile :

python2 vol.py -h
python2 vol.py --info

If the profile is not available in the list of profiles provided by volatility :

  1. Download the profile via volatility profiles provided

  2. Insert the zip file in volatility2/volatility/plugins/overlays/mac or linux

Create Linux profile

In the case of a Linux profile not directly downloadable, it is possible to create it.

What contains What does a Linux volatility profile contain?

It is a zip containing two things, a module.dwarf file and a System.map file.

File System.map :

In Linux, the System.map file is a symbol table used by the kernel. A symbol table is a look-up between symbol names and their addresses in memory. A symbol name may be the name of a variable or the name of a function. The System.map is required when the address of a symbol name, or the symbol name of an address, is needed. It is especially useful for debugging kernel panics and kernel oopses. The kernel does the address-to-name translation itself when CONFIG_KALLSYMS is enabled so that tools like ksymoops are not required. https://en.wikipedia.org/wiki/System.map

File module.dwarf :

DWARF is a widely used, standardized debugging data format. DWARF was originally designed along with Executable and Linkable Format (ELF), although it is independent of object file formats. The name is a medieval fantasy complement to "ELF" that had no official meaning, although the backronym "Debugging With Arbitrary Record Formats" has since been proposed. https://en.wikipedia.org/wiki/DWARF

Profile creation using Docker

  1. Replace the automatic kernel detection with a static value, which is your target linux kernel, in this case it will be profile for ubuntu linux 5.4.0-59-generic

cd volatility2/tools/linux/
sed -i 's/$(shell uname -r)/5.4.0-59-generic/g' Makefile

  1. Run a docker container that matches the target operating system 

docker run -it --rm -v $PWD:/volatility ubuntu:20.04 /bin/bash
apt update && apt install -y linux-image-5.4.0-59-generic linux-headers-5.4.0-59-generic build-essential dwarfdump make zip

  1. Create the dwarf file with the volatility tool

cd /volatility/
make

  1. Create a zip archive containing the dwarf file and the System map

zip Ubuntu2004.zip module.dwarf /boot/System.map-5.4.0-59-generic

You now have an Ubuntu1604.zip archive containing the correct profile.

  1. Extract the zip file to the host

exit
docker cp CONTAINER ID:/volatility/ ./<folder_on_the_host>

  1. Copy the zip file to volatility profile folder

cp Ubuntu2004.zip volatility2/volatility/plugins/overlays/linux/

Use profile

Indicates the profile on the command line

python2 vol.py --profile=Win7SP1x64 -f memory.dmp -h
python2 vol.py --profile=LinuxUbuntu2004x64 -f memory.dmp -h
python2 vol.py --profile=MacMountainLion_10_8_1_AMDx64 -f memory.dmp -h
PreviousVolatilityNextPlugins for Windows

Last updated