Linux Forensics -2-
Hello again. I haven’t been able to write for a while because of the sad event that shook my country.
But I have seen people who follow, like and want me to continue writing.That’s why I said let’s get together as soon as possible and not continue to write and be useful. I packed up.
Let’s continue.
Built a Volatility Profile
- Acquire a memory dump of the target system: You can acquire a memory dump using tools like DumpIt or FTK Imager.
- Analyze the memory dump: Use Volatility Framework to analyze the memory dump. Volatility Framework is an open-source memory forensics tool that can be used to analyze memory dumps from Windows, Linux, and macOS systems. You can download Volatility Framework from the official website: https://www.volatilityfoundation.org/
3. Identify the operating system and profile: Run the following command to identify the operating system and profile:
volatility -f <memory dump> imageinfo
This command will output information about the operating system and the available profiles. Choose the appropriate profile for the operating system.
4- Analyze the memory dump using the appropriate profile: Run the following command to analyze the memory dump using the appropriate profile:
volatility -f <memory dump> — profile=<profile> <command>
Replace <profile>
with the appropriate profile name and <command>
with the command you want to run. Some useful commands are:
- pslist: Lists all running processes
- pstree: Shows the process tree hierarchy
- netscan: Lists all active network connections
- hivelist: Lists all registry hives
- dumpfiles: Extracts files from memory
For example, to list all running processes, run the following command:
volatility -f <memory dump> — profile=<profile> pslist
5- Interpret the results: The output of the command will provide you with information about the system, processes, network connections, and other relevant data. Analyze the output to identify any signs of malicious activity or anomalies.
By following these steps, you can build a Volatility Profile and use it to analyze memory dumps from Windows, Linux, and macOS systems.
This command uses the Volatility framework to list information about Linux memory images. The output of the command is then filtered to only show lines that contain the word “linux”.
vi ~/.bashrc
This command opens the “vi” editor to edit the “.bashrc” file in the user’s home directory.
This command is used to display the process tree in a Linux memory image using the Volatility tool.
pstree is a command used to display the process tree in a Linux/Unix operating system in a hierarchical manner.
This command visualizes all the processes running in the system and their relationships with each other, i.e., which process created a certain process or which process called another process. This allows for a hierarchical view of all the processes running in the system, providing a quick overview of the processes and their relationships with each other.
vol.py — info | grep linux | tee vol-linux.txt
This command uses the Volatility framework to list information about Linux memory images. The output of the command is then filtered to only show lines that contain the word “linux”. The “tee” command is used to save the filtered output to a file named “vol-linux.txt” in addition to displaying it on the terminal screen.
— profile=LinuxCentOS63x64 linux_pslist_cache
This plugin enumerates processes from kmem_cache.
linux_pidhashtable
This plugin enumerates processes by walking the pid hash table. It can assist with detecting hidden processes. The output will appear similar to linux_pslist, but in a different order.
linux_lsof
This plugin mimics the lsof
command on a live system. It prints the list of open file descriptors and their paths for each running process. To print only the files for a specific process, use the -p PID option.
vpa linux_psaux
vpa linux_psenv -p 3027
This command uses the Volatility framework to display the memory map of a specific process with the process ID (PID) of 3017 on a Linux system. The “linux_proc_maps” plugin is used to extract this information from a memory image of a Linux system.
The memory map of a process includes information about the virtual memory space that the process uses, such as which memory areas are reserved for code, data, stack, heap, shared libraries, and other system resources. By analyzing the memory map of a process, it is possible to understand how the process uses memory and what resources it relies on.
By specifying the “-p” option followed by the PID, this command restricts the output to the memory map of the process with that specific PID. This can be useful for debugging, forensics, or security analysis purposes, as it allows investigators to analyze the memory usage of a specific process in detail.
xxd /tmp/xingyi_bindshell.3027.0x400000 | more
This command uses the “xxd” tool to display the contents of the file “/tmp/xingyi_bindshell.3027.0x400000” in hexadecimal format. The output is then piped to the “more” command, which displays the output one screen at a time.
The “xxd” tool is a command-line utility in Linux that can be used to display or convert binary files to hexadecimal format. By displaying the contents of a binary file in hexadecimal format, it can be easier to analyze and understand the structure and contents of the file. The “more” command is used to display the output in a more manageable way, especially if the file is very large.
vpa linux_bash_env | more
This command uses the Volatility framework to extract the environment variables set in the Bash shell of a Linux memory image. The output of the command is then piped to the “more” command, which displays the output one screen at a time.
The “|” character is used to redirect the output of the first command (in this case, “vpa linux_bash_env”) to the input of the second command (in this case, “more”). This is known as a “pipe” operation and is a common way to combine multiple commands in Linux.
This command uses the Volatility framework to identify any API (Application Programming Interface) hooks that may be present in a Linux memory image. API hooks are used by malware or other malicious software to intercept and modify the behavior of legitimate applications or system components.
By analyzing the system memory for API hooks, this command can help to detect any suspicious or malicious activity on a Linux system. However, note that this command requires expertise in memory analysis and Linux systems in order to properly interpret and use the output. It’s also worth noting that the “linux_apihooks” plugin may not be available in all versions of Volatility, so it’s possible that this command may not work on some systems.
time vpa linux_check_idt
This command uses the “Volatility” memory analysis framework to check the Interrupt Descriptor Table (IDT) structure in a Linux memory image. The “time” command is used to measure how long this operation takes to complete.
This command uses the Volatility framework to check the Interrupt Descriptor Table (IDT) structure in a Linux memory image. The IDT is a data structure used by the Linux operating system to manage interrupts, which are signals sent to the CPU that indicate the need for attention from a device or software component.
By checking the IDT structure, this command can help to identify any issues or abnormalities in the handling of interrupts by the Linux system, which can be useful for debugging or forensic analysis purposes. However, note that this command requires expertise in memory analysis and Linux systems in order to properly interpret and use the output.
Additioanl commands:
time vpa linux_check_fop
time vpa linux_check_creds
time vpa linux_check_afinfo
vpa linux_netstat
for UDP and TCP
This command runs the “linux_list_arp” plugin on a memory image of a Linux system to display the Address Resolution Protocol (ARP) cache table. The ARP cache table contains mappings between IP addresses and MAC addresses of devices on the local network.
By analyzing the ARP cache table, an investigator can determine the devices that were communicating on the network and their IP and MAC addresses. This can be useful in forensic investigations or system analysis to identify suspicious network activity or determine the devices that were connected to the system.
This command uses the Volatility framework to display the list of mounted file systems on a Linux system by running the “linux_mount” plugin.
When a file system is mounted on a Linux system, it becomes accessible to the system and its users. The “linux_mount” plugin can retrieve information about all the mounted file systems on the system, including the file system type, the mount options, the device that the file system is mounted from, and the mount point where the file system is attached to the system’s directory tree.
This information can be useful for forensic investigations or system analysis, as it can provide insight into how the file systems are being used and how they are related to each other. By using this command, an investigator can quickly obtain a list of all mounted file systems and their properties, and use this information to further investigate the system.
vpa linux_enumerate_files | more
This command uses the Volatility framework to enumerate the open files on a Linux system by running the “linux_enumerate_files” plugin. The output of the plugin is then piped to the “more” command, which displays the output one screen at a time.
The “linux_enumerate_files” plugin can be used to retrieve information about all open files on the system, including file names, file descriptors, inode numbers, and other relevant information. This can be useful for forensic analysis or security investigations, as it allows investigators to determine which files are currently open on the system and which processes are accessing them.
By piping the output of the plugin to the “more” command, the output can be displayed in a more manageable way, especially if there are many open files on the system. The investigator can then analyze the output to determine which files are relevant to their investigation.
See you in the 3rd article of the series.