The Problem with Parsing Linux-Based Memory Dumps

Introduction

Hello Everyone! It is Husam again after a long time away from MemoryForensic, as I was doing my CFCE and other projects, and I finally got it 🙂

I was recently contacted by an analyst who asked me for a solution to display the processes from a memory dump file. The analyst had tried several methods but could not solve the issue. Yes, it was a Linux-based memory dump.

Linux Memory Dump Parsing Problem

The analyst gave me the memory dump, and I checked it, but it was working find and I was able to get the processes using psscan plugin.

I figured out the problem even the analyst mentioned the solution, but it seems that it was not done properly.

Yes, you guessed it right, this was inspired to write my Be a Better Detective issue #6 of my newsletter!

The Solution

To parse Linux memory dumps using Volatility, you have two choices:

1. You either build the Linux Kernel profile yourself. (slower)
2. Or you can download symbol files from the Internet (faster)

First Solution – Building Kernel Profiles

For the first option, it is better in terms of knowing how to do it, and I would recommend two videos for that:

• Volatility Memory Analysis: Building Linux Kernel Profiles from DFIRSciene (in English)
• Building Volatility Profiles from Hack Defend Lab (in Arabic)

If you want, let me know and I can make a video myself showing the building process!

In addition, I would recommend reading the documentation from Volatility themselves in creating symbol files here and this article from HackTheBox.

Second Solution – Downloading Kernel Profiles

There are a few sources that people did the hard work, built the profiles themselves, and shared it based on the Linux distro and kernel version.

• leludo84 / vol3-linux-profiles (I like this one ^^ )
• Abyss-W4tcher /volatility3-symbols lists
• p0dalirius /volatility3-symbols lists

The Approach of Using the Second Solution

Let’s say that you decided to go with the second option by downloading a symbol file, but you do not know the whole process, right? No worries, I am here to help you out 🙂

• First, we will use Volatility3 to determine a few details related to the acquired memory dump’s OS.
  • As highlighted in the image below, we look for the Linux Kernel Version (5.10.0-35-amd64) and the Linux Distribution Name“distro” (Debian)

• Second, we will use for instance the first link above, enter to the profiles folder, then enter to the Debian folder as stated above in the picture. After that, we need to select the main Linux version, in this case 5 – remember 5.10.0
• Third, we need to find the exact Kernel version match match: 5.10.0-35-amd64, and boom! we found it below!

• Fourth, we need to just decompress it, using the command:

xz -dk linux-image-5.10.0-35-amd64-dbg_5.10.237-1_amd64.json.xz

• Fifth, we need to create a folder called “linux” inside /volatility3/volatility3/symbols. It is not created by default.
• Sixth, put the decompressed JSON symbol file inside linux folder!

That’s it guys 🙂 We have done it ^^ Justt run linux.pslist and you should be fine!

A Question?!

You may be asking yourself a very great question, but as I read minds, I am going to answer you even before hearing you!

Why do we need to actually do that just on Linux-based memory dumps, but not on Windows’!!

You are correct! We do not need to do that manually in Windows, because it is automatically done by Volatility!

How come?! Well, let me show you.. Do you remember such a strange thing scrolling down like this? It may have happened multiple times during your Windows-based memory dump being parsed?

Microsoft has a public server to download Windows Kernel symbol files (PDBs) – Program Database.

Volatility is just checking and fetching the exact kernel build/version symbol file from the public server matching the one of memory image being parsed!

Microsoft public server: http://msdl.microsoft.com/download/symbols/, and ntkrnlmp.pdb cooresponds to:

• ntkrnlmp.exe, the multiprocessor Windows kernel binary.
• The unique hash folder (e.g. DD08DD42692B43F199A) identifies the exact kernel build/version of the memory image being parsed.

Well, Really What is PDB / Symbol files?!

“PDB, or Program Database, is a file format developed by Microsoft for storing debugging information about programs, typically with a .pdb extension. It helps debuggers map source code to compiled applications, making it easier to identify issues during development.” ~ Wikipedia & Microsoft.

PDF file / symbol file is needed by Volatility to determine how to parse such image. Thus, it is used to:

• Map kernel memory addresses to function and variable names.
• Parse internal Windows data structures correctly.
• Identify objects like processes, threads, and handles within a memory image.

You can just open the symbol JSON file, it would look like the below:

It has details about internal structure addresses to help Volatility locate them and parse them correctly.

Conclusion

Hope you learned something useful from this tutorial and if so, share it with your peers and pray for me! By the way, coincidentally, 13Cubed just released a video covering the second option today, check it out here as well!

Cya till the next one ~ Hoxed