@heywoodlh

heywoodlh thoughts

Using Volatility on Arch Linux

This article will walk through using Volatility on Arch Linux. Volatility’s documentation didn’t make too much sense to me with generating profiles so I am taking it upon myself to write up how I set it up. Also, Volatility is written in Python 2 and I don’t like having that installed on my system, so I created a Docker image to fill that need.

Prerequisites: #

The following is assumed:

  • Docker is installed and setup (to actually run my Volatility container)
  • Your system is up-to-date and on the latest kernel (sudo pacman -Syu && sudo reboot if you aren’t sure)

Install Dependencies: #

Install LiME: #

LiME is a tool made for dumping the volatile memory in Linux.

sudo git clone https://github.com/504ensicsLabs/LiME /opt/lime &&\
    sudo chown -R $USER /opt/lime/ &&\
    cd /opt/lime/src &&\
    make

Install Other System Packages: #

The libdwarf package will be used to create a Volatility profile. It allows us to collect kernel configuration information such as supported kernel symbols, modules, etc. We also need to install the Linux kernel headers. Switch linux-headers with whatever kernel headers if you’re using a custom kernel (like linux-lts, linux-hardened, etc.).

sudo pacman -Sy libdwarf linux-headers zip git asp --noconfirm

Building a Volatility Profile: #

Let’s create a directory where all our files will be going:

mkdir -p /tmp/volatility_demo

Like, I said earlier, Volatility is written in Python 2. So we won’t actually use vol.py on our system (since Arch doesn’t have Python 2 installed by default – nor do we want that). But the repository has some tools to easily create a profile so we will clone it into the tmp directory:

git clone https://github.com/volatilityfoundation/volatility.git /tmp/volatility

Now create the dwarf file:

cd /tmp/volatility/tools/linux &&\
    make dwarf

Now let’s create the Volatility profile:

sudo zip /tmp/volatility_demo/Arch.zip /tmp/volatility/tools/linux/module.dwarf /usr/lib/modules/$(uname -r)/build/System.map

Create a Memory Image With LiME: #

Let’s create a memory dump in our staging directory (this will take a while):

sudo insmod /opt/lime/src/lime-*.ko "format=lime path=/tmp/volatility_demo/arch-memory.lime digest=sha512"

Get Volatility Ready: #

Create a config file ~/.volatilityrc with the following content:

[DEFAULT]
PROFILE=LinuxArchx64
LOCATION=file:///data/arch-memory.lime
PLUGINS=/data

For ease of use, let’s create a BASH alias for vol.py so you don’t have to run a super long docker run command every time:

alias vol.py="docker run -it --rm -v ~/.volatilityrc:/root/.volatilityrc -w /data -v ${PWD}:/data heywoodlh/volatility --conf-file /root/.volatilityrc $@"

Now, make sure you are in the staging directory, and then run my Volatility Docker image to check if the Profile we made earlier is correct:

cd /tmp/volatility_demo &&\
    vol.py --info | grep Arch

The output should include LinuxArchx64 as one of the profiles. If the name is something else, change the PROFILE setting in your ~/.volatilityrc config.

Once that is set, you are basically good to use Volatility on the image we’ve created. You might want to set that vol.py alias in a relevant BASH configuration file so that it persists if that’s what you desire.

Here are some example commands that you could run:

vol.py linux_banner

vol.py linux_bash

vol.py linux_hidden_modules
Written on March 26, 2020

linux security