search

Linux

hashtag
Steps to create Linux Profile

hashtag
1. Check profile of dump file

ubuntu@ubuntu:~/Desktop/$ strings memory.raw | grep "Linux version"
Linux version 4.4.0-72-lowlatency (buildd@lcy01-17) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #93-Ubuntu SMP PREEMPT Fri Mar 31 15:25:21 UTC 2017 (Ubuntu 4.4.0-72.93-lowlatency 4.4.49)

So we need to build profile linux-4.4.0-72-lowlatency on Ubuntu 16.04.4

hashtag
2. Download package of 4.4.0-72-lowlatency

We need install image package

sudo apt-get install linux-image-4.4.0-72-lowlatency

And header package 

sudo apt-get install linux-headers-4.4.0-72-lowlatency

hashtag
3. Change profile for a system

sudo gedit /etc/default/grub

Fix grub like this:

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=menu
GRUB_TIMEOUT=5
GRUB_GFXMODE=1024x768

Update grub

Spam shift or enter C, select `Ubuntu, with Linux 4.4.0-72-lowtatency`

hashtag
Make the profile

Download and install volatility

Install some package necessary and create vtypes

To create the profile, place both the module.dwarf and the system.map file into a zip file.

Then move this zip file under 'volatility/plugins/overlays/linux/'

Everything done for create profile. Check profile with volatility

hashtag
Get profile with volatility

PreviousMemoryNextMacOS-X

Last updated