The Easy Way to Analyze Linux Memory

Ah yes, another a another Linux memory image to analyze. If only there were a faster and better way to do this. Well

there is a better way. Now, normally we would either have to build our own intermediate symbol file or ISF based on the exact kernel version in use on the machine from which the memory was acquired or we could run the volatility 3 banners plugin as I've done here and get the exact Linux kernel version which in this case is 6. 5. 0-41 and then go search for a precreated ISF. In doing that, there are actually a couple of different repos that I use all the time. This one which is called Abyss Watcher and from Luo 84. Now both of these host pre-created ISFs. But then the problem is we're still left to search through all of these ISFs and there can be dozens if not hundreds and try to find the exact one that matches. It takes time. We have to drill down through these directories and find exactly what we're looking for. Well, here's the thing that you may not be aware of in this repo. And in the other one, there's going to be a file that's actually a JSON file that contains a list of all of the symbols present. Now, in this repo, all we're going to do is navigate into the banners folder or directory, which you see here. And within this location, you're going to notice we have a banners. json file. Now, if I click on this, you're going to see that it says it can't display it. But if you click view raw, you're actually going to see the raw JSON right here. This is obviously going to be a bit hard to read for us and doesn't really mean anything to us just looking at this. But this output does mean something to Volatility 3. And we can actually use this to make our lives much easier. Let me show you the same thing in the other repo here. All we have to do is grab this file in the root of the repo which is called banners-isf. json. And once again, if we click view raw, it's the same kind of output that you saw in the other repo. So, how can we use this to our advantage? Well, let me show you. First off, let's go up to the top here and grab this URL. So, I'll press Ctrl C to copy this to the clipboard. Now, let's go back to the terminal. And what we're going to do is type Python 3vall. py and I'm going to go ahead and use a -h here and I'm going to gp with dash a1 which means show me one line after the pattern match and what I'm searching for here is capital URL. Now in doing this you'll notice that we have a parameter that's called dash u or d- remote-isf url followed by the URL itself. So, you probably see where I'm going with this. Now, first, just to prove a point, let's go ahead and repeat this same command line that we had before. And let's try to run Linux. ps list as an example. And notice that we immediately get back an error telling us that it's not possible. And the reason for this is, of course, because Volatility 3 doesn't know how to read this memory image. It doesn't have the symbols necessary. So, let's go ahead and repeat this, but this time we'll use -ashu. and then we'll paste in the actual path that we copied from the GitHub repo and then we'll run Linux. ps list. Now, as you can see, what it's going to do is scan and try to find the correct ISF necessary to read this image. So, let's speed this up and see what happens. And just like magic, we have our output. I didn't have to search through the repo and try to find that exact match. It was just done for me as a result of specifying that URL. How cool is that? This saves a huge amount of time and as you can see as I'm scrolling up through here, it is able to read the process list without any issues whatsoever as a result of us specifying that URL. So again, this is a huge timesaver and something you may not be aware of, but now I'm guessing that you're going to start using this going forward. Unless you're creating your own ISF files in every instance, this is going to be a huge timesaver for you. And again, just as a quick recap, all we did was use a -ash u followed by the path to that JSON file. And the two repos I showed you have such a file. And most other repos that you'll encounter that are going to host ISF files are likely going to have a JSON index file as well that you can point to with Volatility 3. And that's it. I hope you enjoyed this episode. Thanks for watching. Thanks for subscribing. And I'll see you in the next one.