computer forensics, computer forensics expert, mobile phone forensics, expert witness

Inside Out

How to analyse AFF4 linux memory images

In my last post I described Evimetry's support remote memory acquisition. In this post I'll give a quick walkthough on setting up Volatility for analysis of those images.

I prefer to make a python virtualenv specifically for working with volatility. In this example, I'm using MacOS with brew for my python (the python shipped with MacOS is broken in regard to pip's TLS authentication). Hence the -p argument.

mkdir volmem
cd volmem
virtualenv -p /usr/local/bin/python volmem
source volmem/bin/activate

Install all the dependencies with the following (the last two aren't strictly necessary, but prevent a load of complaints from Volatility).

pip install future
pip install rdflib
pip install pyblake2
pip install intervaltree
pip install expiringdict
pip install aff4-snappy
pip install pyyaml
pip install pycrypto
pip install distorm3

Pull in Volatility, the community plugins repository (where the AFF4 plugin resides), and the python AFF4 reader library. We set the python path so that the plugin can find the latter.

git clone https://github.com/volatilityfoundation/volatility
git clone https://github.com/volatilityfoundation/community
git clone https://github.com/aff4/pyaff4
export PYTHONPATH=$(pwd)/pyaff4:%PYTHONPATH%

Download the Linux profile you want to use with the memory image, and place it in Volatility's profile folder.

wget https://github.com/volatilityfoundation/profiles/raw/master/Linux/Ubuntu/x64/Ubuntu16041.zip
mv Ubuntu16041.zip volatility/volatility/plugins/overlays/linux/

cd volatility

Begin analysis. Note the usage of the --plugins line is crucial for picking up the AFF4 read plugin, as is the pythonpath environment variable we set earlier.

(volmem) neon:volatility bradley$ python vol.py --info
Volatility Foundation Volatility Framework 2.6

Profiles
--------
LinuxUbuntu16041x64 - A Profile for Linux Ubuntu16041 x64

<snip>

(volmem) neon:volatility bradley$ python vol.py --plugins=../community/AFF4 -f ~/Desktop/ImageDest/Ubuntu16041.RAM.aff4 --profile=LinuxUbuntu16041x64 linux_pslist
Volatility Foundation Volatility Framework 2.6
Offset Name Pid PPid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- --------------- ------ ------------------ ----------
0xffff88003bd60000 systemd 1 0 0 0 0x000000003b61a000 2018-05-30 05:25:41 UTC+0000
0xffff88003bd60dc0 kthreadd 2 0 0 0 ------------------ 2018-05-30 05:25:41 UTC+0000
0xffff88003bd61b80 ksoftirqd/0 3 2 0 0 ------------------ 2018-05-30 05:25:41 UTC+0000
0xffff88003bd63700 kworker/0:0H 5 2 0 0 ------------------ 2018-05-30 05:25:41 UTC+0000

<snip>

This works equally well for newer kernels with kernel address space layout randomisation (KASLR). To test this, I created a new volatility profile for kernel 4.10 on Ubuntu 16.04.4 per the instructions at https://github.com/volatilityfoundation/volatility/wiki/Linux . You can see below the output of the linux_bash plugin run against a VM that I first used to generate the profile and then use as the target of acqusition using the Evimetry live agent.

If you can't find a profile, and haven't done it before, I'd encourage you to give it a go.  It is extremely easy to create a new one (especially using VMWare, as it breezes through the install of the the target Linux OS). All up it took me about 5 minutes to install Ubuntu 16.04.4 and create a profile for it. Don't forget to go the extra step contributing back to the community with the new profile (as I did here).

neon:volatility bradley$ python vol.py --plugins=../community/AFF4 -f ~/Desktop/ImageDest/Ubuntu16044_PhysicalMemory.aff4 --profile=LinuxUbuntu16044x64 linux_bash
Volatility Foundation Volatility Framework 2.6
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
841 bash 2018-05-31 16:08:23 UTC+0000 uname -a
841 bash 2018-05-31 16:08:23 UTC+0000 apt-get update
841 bash 2018-05-31 16:08:23 UTC+0000 apt-cache search linux-kernel
841 bash 2018-05-31 16:08:23 UTC+0000 apt-get install openssh-server
841 bash 2018-05-31 16:08:23 UTC+0000 exit
841 bash 2018-05-31 16:08:23 UTC+0000 apt-cache search linux-image
841 bash 2018-05-31 16:08:23 UTC+0000 apt-cache search kernel
841 bash 2018-05-31 16:08:23 UTC+0000 sudo bash
841 bash 2018-05-31 16:08:23 UTC+0000 uname
841 bash 2018-05-31 16:08:23 UTC+0000 cat /proc/version
841 bash 2018-05-31 16:08:23 UTC+0000 ifconfig
841 bash 2018-05-31 16:08:23 UTC+0000 apt-get install linux-image-4.10.0-14-generic
841 bash 2018-05-31 16:08:23 UTC+0000 sudo bash
841 bash 2018-05-31 16:08:23 UTC+0000 exit
841 bash 2018-05-31 16:08:23 UTC+0000 exit
841 bash 2018-05-31 16:08:23 UTC+0000 reboot
841 bash 2018-05-31 16:08:23 UTC+0000 apt-get install openssh-server
7459 bash 2018-05-31 16:21:46 UTC+0000 uname -a
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get update
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-cache search linux-kernel
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install linux-headers-4.10.0-14-generic
7459 bash 2018-05-31 16:21:46 UTC+0000 zip Ubuntu16044.zip module.dwarf /boot/System.map-4.10.0-14-generic
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install openssh-server
7459 bash 2018-05-31 16:21:46 UTC+0000 exit
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-cache search linux-image
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install dwarfdump
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-cache search kernel
7459 bash 2018-05-31 16:21:46 UTC+0000 sudo bash
7459 bash 2018-05-31 16:21:46 UTC+0000 make -C /lib/modules/4.10.0-14-generic/build CONFIG_DEBUG_INFO=y M=$PWD modules
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install build-essential
7459 bash 2018-05-31 16:21:46 UTC+0000 ls
7459 bash 2018-05-31 16:21:46 UTC+0000 uname
7459 bash 2018-05-31 16:21:46 UTC+0000 cat /proc/version
7459 bash 2018-05-31 16:21:46 UTC+0000 ifconfig
7459 bash 2018-05-31 16:21:46 UTC+0000 zip Ubuntu16044.zip module.dwarf /boot/System.map-4.10.0-14-generic
7459 bash 2018-05-31 16:21:46 UTC+0000 exit
7459 bash 2018-05-31 16:21:46 UTC+0000 cat /proc/version
7459 bash 2018-05-31 16:21:46 UTC+0000 ls
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install linux-image-4.10.0-14-generic
7459 bash 2018-05-31 16:21:46 UTC+0000 sudo bash
7459 bash 2018-05-31 16:21:46 UTC+0000 exit
7459 bash 2018-05-31 16:21:46 UTC+0000 sudo bash
7459 bash 2018-05-31 16:21:46 UTC+0000 exit
7459 bash 2018-05-31 16:21:46 UTC+0000 exit
7459 bash 2018-05-31 16:21:46 UTC+0000 dwarfdump -di ./module.o > module.dwarf
7459 bash 2018-05-31 16:21:46 UTC+0000 reboot
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install zip
7459 bash 2018-05-31 16:21:46 UTC+0000 apt-get install openssh-server
7459 bash 2018-05-31 16:21:49 UTC+0000 sudo bash
7472 bash 2018-05-31 16:21:50 UTC+0000 exit
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install openssh-server
7472 bash 2018-05-31 16:21:50 UTC+0000 sudo bash
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-cache search linux-image
7472 bash 2018-05-31 16:21:50 UTC+0000 exit
7472 bash 2018-05-31 16:21:50 UTC+0000 zip Ubuntu16044.zip module.dwarf /boot/System.map-4.10.0-14-generic
7472 bash 2018-05-31 16:21:50 UTC+0000 dwarfdump -di ./module.o > module.dwarf
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install zip
7472 bash 2018-05-31 16:21:50 UTC+0000 ifconfig
7472 bash 2018-05-31 16:21:50 UTC+0000 reboot
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install linux-headers-4.10.0-14-generic
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-cache search kernel
7472 bash 2018-05-31 16:21:50 UTC+0000 cat /proc/version
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install dwarfdump
7472 bash 2018-05-31 16:21:50 UTC+0000 zip Ubuntu16044.zip module.dwarf /boot/System.map-4.10.0-14-generic
7472 bash 2018-05-31 16:21:50 UTC+0000 make -C /lib/modules/4.10.0-14-generic/build CONFIG_DEBUG_INFO=y M=$PWD modules
7472 bash 2018-05-31 16:21:50 UTC+0000 sudo bash
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install openssh-server
7472 bash 2018-05-31 16:21:50 UTC+0000 ls
7472 bash 2018-05-31 16:21:50 UTC+0000 exit
7472 bash 2018-05-31 16:21:50 UTC+0000 ls
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install linux-image-4.10.0-14-generic
7472 bash 2018-05-31 16:21:50 UTC+0000 uname
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get update
7472 bash 2018-05-31 16:21:50 UTC+0000 uname -a
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-cache search linux-kernel
7472 bash 2018-05-31 16:21:50 UTC+0000 apt-get install build-essential
7472 bash 2018-05-31 16:21:50 UTC+0000 exit
7472 bash 2018-05-31 16:21:50 UTC+0000 sudo bash
7472 bash 2018-05-31 16:21:50 UTC+0000 exit
7472 bash 2018-05-31 16:21:50 UTC+0000 cat /proc/version
7472 bash 2018-05-31 16:21:51 UTC+0000 ls
7472 bash 2018-05-31 16:22:04 UTC+0000 ./evimetry.agent 192.168.189.1