Forensic main memory analysis with Volatility


All Set Up

A prebuilt memory image from a book by the Volatility authors [13] was used for all the examples in this article. After downloading and unpacking the ZIP file, you will find a subdirectory named linux with the archive that needs to be moved to the previously created profiles folder. Whether you use mv, cp, or a hard link is a matter of taste; a symlink did not work on my lab computer. The command

./vol --plugin=profiles/ --info | grep -i book

should return the output:

Volatility Foundation Volatility Framework 2.6
Linuxbookx64 - A Profile for Linux book x64

If Volatility does not find the profile, the plugin directory may be incorrect. To search several folders, separate their names with colons.

Lazy users can also create a Volatility configuration file, which saves having to type long parameters and lets you reconstruct the settings later. The tool expects its setup either in ~/.volatilityrc or in the current directory in the volatilityrc file. Listing 1 shows an example that defines the plugin directory, a profile, and an image. Alternatively, you can specify the image with the -f switch:

Listing 1


./vol --plugin=profiles/ --profile=Linuxbookx64 -f AMF_MemorySamples/linux/linux-sample-1.bin

The order of the parameters is important: If --profile precedes --plugin, the tool will not find the profile. If you specify a path to the profiles in the configuration file, you also need to assign a name for the profile, because command-line options take priority over the setup file.

A Question of Trust

A first look into the memory image with the ./vol linux_pslist command returns a ps-style list. The tool also supports linux_psaux, linux_psenv, and linux_pstree (Figure 1). The lists come from a data structure (defined in sched.h) in which the kernel manages processes.

Figure 1: The output generated by the Volatility linux_pstree command is similar to the output generated by the Linux pstree command.

Kernel processes are easily recognized because they have no address translation entry in the Directory Table Base (DTB); however, is this output trustworthy? Can an attacker manipulate it? One simple approach to spoofing can be found in the base.c file in the sources of older kernel versions:

res = access_process_vm(task, mm->arg_start, buffer, len, 0);

For each entry in the process list, the kernel reads the shell environment variables. A process that manipulates its environment could therefore appear under a different name.

Because forensic experts must always assume that attackers know the targets at least as well as they do, it is essential to verify the retrieved process list. Volatility offers the linux_psscan command, which does not search the kernel data structures for processes, but the whole memory, where an attacker cannot conceal their actions as easily. Manual adjustment of linux_pslist and linux_psscan is not necessary, because linux_psxview provides a plain text table showing where processes exist.

If you run the commands against the sample image, you will notice that linux_psscan displays numerous processes that linux_pslist does not find. These could be threads that the volatility plugin linux_threads can identify, but an immediately plausible explanation is not always obvious. The swapper process, for example, is missing in both lists, which is certainly allowed as part of the scheduler – it manages idle.

Tracking Rootkits

Sometimes it makes sense to create an overview first. Admins who are wondering if a machine is infected by a rootkit [14] can also turn to Volatility. The tool has several plugins that can provide information, including the command

./vol --plugin=profiles/ linux_check_idt

which returns the interrupt descriptor table (Figure 2). If a redirected (hooked) entry is present, the evidence of a manipulated system is strong. The same applies to the exception handlers and the system calls. Just like lsof, linux_lsof looks for the open files of a process; linux_chk_tty and linux_keyboard_notifier check whether an attacker has installed a typical keymapper. Volatility also determines the ARP table, open network connections, mounted filesystems, or kernel modules in use – you can find plugins for almost everything (a complete overview is available in the wiki on GitHub [12]).

Figure 2: Everything seems to be fine: The interrupt service routines are not redirected.

Why should an admin resort to Volatility when looking for rootkits and not a special malware scanner that analyzes the disk? A rootkit in memory will not be affected by the check, which increases the chances of discovering the attacker. If a suspicious process is identified, linux_proc_maps returns the memory content for better analysis.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Forensic Analysis on Linux

    In computer forensics, memory analysis is becoming increasingly important as a means for investigating security incidents. In this article, we provide an overview of the various memory dumping options on Linux and introduce the support in Linux for the Volatility Analysis Framework.

  • Malware Analysis
    We show you how to dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct on your network.
  • Maintaining Android in the enterprise
    No matter how insecure Android might appear, you can't escape the "bring your own device" philosophy in today's corporate environment. In this article, we show how admins can use on-board tools in Android phones to regain a little control.
  • Acquiring a Memory Image
    Be ready before disaster strikes. In this article we describe some tools you should have on hand to obtain a memory image of an infected system.
  • NVDIMM and the Linux kernel
    Non-volatile dual in-line memory modules will provide storage as fast as RAM and keep its content through a reboot. The Linux kernel is already geared to handle the new technology and can even serve the modules up as block devices.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.