Monday, March 18, 2013

Linux bash history_list info for volatility

Starting Linux analysis with volatility

When working in the security field you will eventually come across a time that you will need to do some memory analysis. This analysis will entail working with volatility for memory forensics. Most of the time you will end up working with windows systems that may have been compromised. When you are working against a Linux memory dump you will need a few extra things to make this possible.

linux_bash

The linux_bash option within volatility requires you to to know the history_list location so that you can scrape the bash history out of memory. The way that you would do this would be to use gdb and disassemble the history_list and in the comments you will note the information that you will need. I will include a few of them on this page. I don't want to include too many since they are trying to create a way to determine the value on the fly but I cannot confirm the status of that. Here are a few values that I quickly gdb grabbed out that might help others as well. I will include more if people find it to be beneficial to have a single location. A well documented way to obtain the values are located on the volatility site http://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_bash


Centos
6.4  - 0x6e0970 - bash-4.1.2-14.el6.x86_64.rpm
6.3 -  0x6e0950 - bash-4.1.2-9.el6_2.x86_64.rpm
6.2 -  0x6e0910 - bash-4.1.2-8.el6.centos.x86_64.rpm
6.1 -  0x6e0910 - bash-4.1.2-8.el6.centos.x86_64.rpm
6.0 -  0x6e1af0 -  bash-4.1.2-3.el6.x86_64.rpm
5.9 -  0x6bf970 -  bash-3.2-32.el5.x86_64.rpm
5.8 -  0x6bf970 -  bash-3.2-32.el5.x86_64.rpm
5.7 -  0x6bf970 -  bash-3.2-32.el5.x86_64.rpm
5.6 -  0x6bf970 -  bash-3.2-24.el5.x86_64.rpm

Ubuntu
11.04 - 0x6ed3a8


This probably gives an idea of what I will talk about next ...linux profiles.  I will create a profile for all of the above systems and provide them on the next post. This post will also be updated until the disassemble piece in 2.3 happens.

References:

http://code.google.com/p/volatility/

1 comment: