1:51 p.m.
Does the qemuinfo plugin work against your memory.img file?
Also, as a last resort, if you have the snapshot loaded into QEMU, can
you just log in and run lime? Obviously it wouldn't be as forensically
sound, but you'd only need to run a couple commands...perhaps that could
at least get you started?
MHL
On 5/9/16 4:09 AM, Thomas Hungenberg wrote:
I created the profile in a VM with a fresh install of Debian 8
and the following kernel related packages which _exactly_ match
the kernel version the virtual server to analyze was running:
linux-image-3.16.0-4-amd64_3.16.7-ckt20-1+deb8u3_amd64.deb
linux-headers-3.16.0-4-amd64_3.16.7-ckt20-1+deb8u3_amd64.deb
linux-headers-3.16.0-4-common_3.16.7-ckt20-1+deb8u3_amd64.deb
For a test, I dumped the memory in this VM using lime.
Volatility can process this dump with the created profile just fine.
So it looks like the problem is related to the memory image extracted
from the virtual server QEMU snapshot I received for analysis.
$ file snapshot.img
snapshot.img: QEMU suspend to disk image
$ hexdump -C snapshot.img
00000000 51 45 56 4d 00 00 00 03 07 00 00 00 0d 70 63 2d |QEVM.........pc-|
00000010 69 34 34 30 66 78 2d 32 2e 35 01 00 00 00 02 03 |i440fx-2.5......|
00000020 72 61 6d 00 00 00 00 00 00 00 04 00 00 00 00 41 |ram............A|
00000030 0d 20 04 06 70 63 2e 72 61 6d 00 00 00 00 40 00 |. ..pc.ram....@.|
00000040 00 00 08 76 67 61 2e 76 72 61 6d 00 00 00 00 01 |...vga.vram.....|
I loaded this snapshot into QEMU and used the QEMU monitor console
to dump the memory using "dump-guest-memory". This gave me an ELF file:
$ file memory.img
memory.img: ELF 64-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style
Unfortunately, Volatility cannot process this file with the created profile.
I also tried dumping the memory with "pmemsave 0 0x20000000" on the QEMU
console
which gave me a raw data file but that file does not work with Volatility either.
Any idea how to correctly extract the memory from the QEMU snapshot for analysis
with Volatility?
- Thomas
On 04.05.2016 18:57, Andrew Case wrote:
can you send me the uname -a output from the
sample the memory systme
came from? I can just build you a profile (and show you the steps how I
did it).
Thanks,
Andrew (@attrc)
On 05/04/2016 10:42 AM, Thomas Hungenberg wrote:
> Hi Andrew,
>
> I set up a fresh VM using the same Debian kernel version. The kernel
> binary files in /boot had a different MD5, most likely due to an older
> security patch level. So I copied the kernel binary files from the
> virtual harddisk image to my new VM and rebooted to make sure I'm running
> exactly the same kernel version for creating the profile.
>
> But maybe I also need to copy the header files from the virtual harddisk first?
> The kernel version is the same but apparently a different security patch level.
>
> Cheers,
> Thomas
>
> On 04.05.2016 17:24, Andrew Case wrote:
>> Hey Thomas,
>>
>> Did you verify that the kernel version was exactly the same? It is not
>> so much the OS version (e.g, version of Debian), but it is that the
>> kernel versions must match *exactly*. If you still have access to each
>> machine you can compare the "uname -r" output to see - if these differ
>> then the profile won't work.
>>
>> If you can't get a VM with the exact kernel version, then you can just
>> download the correct kernel headers from the debian repo and then:
>>
>> 1) cd tools/linux (inside volatility source checkout)
>> 2) edit Makefile.enterprise to point KDIR to where you extracted the headers
>> 3) run: make -f Makefile.enterprise
>>
>> Please let me know if you have any questions.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On 05/04/2016 09:35 AM, Thomas Hungenberg wrote:
>>> On 04.05.2016 16:25, Adam Pridgen wrote:
>>>> Which profile are you using? You should create a profile for the Linux
VM
>>>> you are trying to analyze. I have had to do this for several clean
>>>> installs of Ubuntu because of Linux kernel versions.
>>>
>>> I set up a fresh VM with Debian Linux in the same version the virtual
>>> server was running. Next, I installed the kernel image and related files
>>> extracted from the virtual harddisk on this new VM to get a Linux system
>>> running exactly the same kernel version. Then I created a Volatility
>>> profile on this VM.
>>>
>>>
>>> - Thomas
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> .
>>>
>
> .
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users