Starting Linux analysis with volatility
When working in the security field you will eventually come across a time that you will need to do some memory analysis. This analysis will entail working with volatility for memory forensics. Most of the time you will end up working with windows systems that may have been compromised. When you are working against a Linux memory dump you will need a few extra things to make this possible.
linux_bash
The linux_bash option within volatility requires you to to know the history_list location so that you can scrape the bash history out of memory. The way that you would do this would be to use gdb and disassemble the history_list and in the comments you will note the information that you will need. I will include a few of them on this page. I don't want to include too many since they are trying to create a way to determine the value on the fly but I cannot confirm the status of that. Here are a few values that I quickly gdb grabbed out that might help others as well. I will include more if people find it to be beneficial to have a single location. A well documented way to obtain the values are located on the volatility site http://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_bash
Centos
6.4 - 0x6e0970 - bash-4.1.2-14.el6.x86_64.rpm
6.3 - 0x6e0950 - bash-4.1.2-9.el6_2.x86_64.rpm
6.2 - 0x6e0910 - bash-4.1.2-8.el6.centos.x86_64.rpm
6.1 - 0x6e0910 - bash-4.1.2-8.el6.centos.x86_64.rpm
6.0 - 0x6e1af0 - bash-4.1.2-3.el6.x86_64.rpm
5.9 - 0x6bf970 - bash-3.2-32.el5.x86_64.rpm
5.8 - 0x6bf970 - bash-3.2-32.el5.x86_64.rpm
5.7 - 0x6bf970 - bash-3.2-32.el5.x86_64.rpm
5.6 - 0x6bf970 - bash-3.2-24.el5.x86_64.rpm
Ubuntu
11.04 - 0x6ed3a8
This probably gives an idea of what I will talk about next ...linux profiles. I will create a profile for all of the above systems and provide them on the next post. This post will also be updated until the disassemble piece in 2.3 happens.
References:
http://code.google.com/p/volatility/
Subscribe to:
Post Comments (Atom)
-
Introduction: During some house cleaning I had an old external drive that was encrypted with an old version of truecrypt. I wanted to mount...
-
Live Linux forensics in a KVM based environment (part 1) Most of this blog will be based on a image that I created that I will be walking... -
I worked with Micah Kays over the past couple weeks on building a full-interaction honeypot. I bought a Dell desktop off Craigslist (80gb ha...
No comments:
Post a Comment