ISSA 2013 Netwars Challange - Getting the memory image to work.
Unlike @JackCR's previous challenges, this one is 1. from a Linux server, and 2. does not have a memory component. Well, that is not entirely accurate, there is a memory dump but it is not usable because of the way that vmss2core produces a file that is not useful for linux memory forensics. Long story short, Volatility can now read vmem (VMWare memory) and vmss (VMWare Snapshot) natively - don't use vmss2core anymore!
That said, there is a way to extract the memory image so that you can process it in volatility... once you have also created a profile!
A Word of Warning
Please note in this post I will use /path/to/image/ to represent the full path to where I hve mounted my evidence VMDK. You will need to change this to match your system if you want to replicate what I have done.
Converting the Memory Dump
After a quick bit of google-fu I was able to find a page [http://wiki.yobi.be/wiki/RAM_analysis] that described a process for extracting the memory image in RAW from the ELF64 format used by VirtualBox, and acting on the hunch that the ELF32 format would be functionally similar decided to try it out.
$ readelf --program-headers vmss.core
Elf file type is CORE (Core file)
Entry point 0x0
There are 2 program headers, starting at offset 52
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
NOTE 0x000074 0x00000000 0x00000000 0x00144 0x00000 0
LOAD 0x001000 0x00000000 0x00000000 0x20000000 0x20000000 RWE
The line that we care about is LOAD. Based on this output we now know out RAW data is 0x20000000 long and begins at offset 0x001000. After a little bit of hex-dec conversion we can then use dd to export this section
$ dd if=vmss.core bs=4096 skip=1 count=131072 of=memdump.bin
131072+0 records in
131072+0 records out
536870912 bytes (537 MB) copied, 9.01116 s, 59.6 MB/s
Now we have our memory dump, we now need to determine what profile we need and to generate it as need. Luckily we have a partition image that should hopefully have the /boot and /usr/src/linux-headers-* directories on it, which we need to create the specific profile for this system
# mkdir /media/temp
# mount -t ext3 -o ro /path/to/image/issa-2013-challenge.sda1.dd /media/temp
# cd /media/temp
bin boot cdrom dev etc home initrd.img lib lost+found media mnt opt proc root sbin selinux srv sys tmp usr var vmlinuz
Looking good :)
# cat etc/*-release
Not so good, this is an OLD version of Ubuntu :(
# ls boot usr/src
abi-2.6.31-14-generic-pae grub memtest86+.bin vmcoreinfo-2.6.31-14-generic-pae
config-2.6.31-14-generic-pae initrd.img-2.6.31-14-generic-pae System.map-2.6.31-14-generic-pae vmlinuz-2.6.31-14-generic-pae
Excellent, we have what we need to compile a custom profile anyway. Step 1 - get the System.map and kernel headers from the target system. You can also get them from the distribution repository, but it is better to get them from the target itself for maximum compatability.
# mkdir /path/to/image/temp
# cp -r usr/src/linux* /path/to/image/temp/
# mkdir /path/to/image/temp/boot
# cp boot/System.map-2.6.31-14-generic-pae /path/to/image/temp/boot/
Now we change the the location we have volatility sources downloaded and compile the profile based on our new paths
These directions are based on the current SVN version as of 2013-08-23 and assume you have pre-installed dwarfdump (see [http://code.google.com/p/volatility/wiki/LinuxMemoryForensics#Prerequisites])
# cd /path/to/image/volatility-read-only/tools/linux/
# make -C /path/to/image/temp/linux-headers-2.6.31-14-generic-pae CONFIG_DEBUG_INFO=y M=/path/to/image/volatility-read-only/tools/linux/ modules
# dwarfdump -di module.ko > module.dwarf
# make -C /path/to/image/temp/linux-headers-2.6.31-14-generic-pae CONFIG_DEBUG_INFO=y M=/path/to/image/volatility-read-only/tools/linux/ clean
# cp module.dwarf /path/to/image/temp/
# cd /path/to/image/temp/
# zip Ubuntu910.zip module.dwarf boot/System.map-2.6.31-14-generic-pae
# mkdir /path/to/image/temp/plugins
# cp Ubuntu910.zip /path/to/image/temp/plugins/
And now for the moment of truth, does this profile load?
# cd /path/to/image/volatility-read-only
# python vol.py --plugins=/path/to/image/temp/plugins --info | grep Ubu
Volatile Systems Volatility Framework 2.3_beta
LinuxUbuntu910x86 - A Profile for Linux Ubuntu910 x86
Looking good so far....
# python vol.py --plugins=/path/to/image/temp/plugins -f /path/to/image/memdump.bin --profile=LinuxUbuntu910x86 linux_ifconfig
Volatile Systems Volatility Framework 2.3_beta
Interface IP Address MAC Address Promiscous Mode
---------------- -------------------- ------------------ ---------------
lo 127.0.0.1 00:00:00:00:00:00 False
eth0 172.16.150.20 00:0c:29:7d:72:4b False