Image for post
Image for post
The RIT Computing Security Lab

Updating RIT System Forensics’ Volatility Lab

Image for post
Image for post
Computer System Forensics’ Lab 5 on the Volatility Framework

Issues with the lab

The original instructions

The steps to build Ubuntux64 profile on SIFT:1. Install dwarfdump package and kernel headers$sudo apt-get update$sudo apt-get install dwarfdump linux-headers-generic --fix-missing2. Download the Volatility repository from https://github.com/volatilityfoundation/volatilitycd into tools > linux folder of the downloaded repo$cd ~/Downloads/volatility-master/tools/linux3. Generate the module.dwarf file using make$make4. Find the System.map version$ls /boot5. Create the profile zip (sift.zip) and place it in volatility overlays/linux folder where volatility looks for all profiles, given the System.map file's (from step 4) for the kernel version.$sudo zip /usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/Ubuntu.zip module.dwarf /boot/System.map-4.4.0-31-generic6. Run vol.py --info | grep Profile to make sure the profile "LinuxUbuntux64" is in the profiles list.7. Run vol.py -f ‘/home/sansforensics/Desktop/ yourusername_memory_dump.bin’ --profile=LinuxUbuntux64 VolatilityLinuxCommand (Note: replace VolatilityLinuxCommand with the volatility Linux commands from https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference)
Image for post
Image for post
Getting the CPU information from a memory image with the previous lab instructions
Image for post
Image for post
Class averages per lab. Note the drop in score on Lab 5.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
My friends and I discussing problems with the lab

Making Volatility run properly

Missing dependencies

1. Install dwarfdump package and kernel headers$sudo apt-get update$sudo apt-get install dwarfdump linux-headers-generic --fix-missing
1. Install dwarfdump package and kernel headers$sudo apt-get update$sudo apt-get install dwarfdump pcregrep libpcre++-dev yara -y$sudo -H pip install pycrypto Distorm3 OpenPyxl ujson pillow

Using old kernel versions

4. Find the System.map version$ls /boot5. Create the profile zip (sift.zip) and place it in volatility overlays/linux folder where volatility looks for all profiles, given the System.map file's (from step 4) for the kernel version.$sudo zip /usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/Ubuntu.zip module.dwarf /boot/System.map-4.4.0-31-generic
4. Create the profile zip (Ubuntu.zip) and place it in volatility overlays/linux folder where volatility looks for all profiles, given the System.map file's for the kernel version.$sudo zip /usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/Ubuntu.zip module.dwarf /boot/System.map-$(uname -r)

Command syntax

7. Run vol.py -f ‘/home/sansforensics/Desktop/ yourusername_memory_dump.bin’ --profile=LinuxUbuntux64 VolatilityLinuxCommand (Note: replace  VolatilityLinuxCommand with the volatility Linux commands from https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference)
6. Run vol.py -f '/home/sansforensics/Desktop/yourusername_memory_dump.bin' --profile=LinuxUbuntux64 VolatilityLinuxCommand (Note: replace  VolatilityLinuxCommand with the volatility Linux commands from https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference)

Running Volatility

Image for post
Image for post
Getting the CPU information from a memory image with the corrected lab instructions
1. Install dwarfdump package and kernel headers$sudo apt-get update$sudo apt-get install dwarfdump pcregrep libpcre++-dev yara -y$sudo -H pip install pycrypto distorm3 openpyxl ujson pillow2. Download volatility repo:$cd ~/Downloads$git clone https://github.com/volatilityfoundation/volatility.git$cd volatility/tools/linux3. Generate the module.dwarf file using make$make4. Create the profile zip (sift.zip) and place it in volatility overlays/linux folder where volatility looks for all profiles, given the System.map file's for the kernel version.$sudo zip /usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/Ubuntu.zip module.dwarf /boot/System.map-$(uname -r)5. Run vol.py --info | grep Profile to make sure the profile "LinuxUbuntux64" is in the profiles list.6. Run vol.py -f /home/sansforensics/Desktop/yourusername_memory_dump.bin --profile=LinuxUbuntux64 VolatilityLinuxCommand (Note: replace  VolatilityLinuxCommand with the volatility Linux commands from https://github.com/volatilityfoundation/volatility/wiki/Linux-Command-Reference)

DFIR, CTFs, disinformation, STEM education, and pretty much anything else that comes to mind. RIT Computing Security ’22. wyatttauber.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store