Installing Linux Profile in Volatility

As I said, in my previous blog, it is necessary to note, that you need a compatible system profile to analyse a RAM memory dump.  That is, if you have a profile built for kernel 3.2.15, then you can only analyse the memory dump from a machine which runs the same kernel version 3.2.15. In case if you want to analyse some other kernel version’s RAM memory then you need to build a profile for the kernel version separately in your Volatility tool.  Before going to the building part, let me put it clearly what I meant by a profile. Actually it refers to a file ( a zip file ) where we compress the  kernel data structures and debug symbols. Volatility uses this zip file to mine critical information and to parse the objects inside the memory. In the next blog I will tell you the tools which you can use to collect the memory dumps from various OS’s and a demonstration with any one of a sample RAM memory dump. For now, I will tell you, how you can successfully build a Linux profile with your Volatility tool.

Determine your kernel version:

bios@bios-VirtualBox:~$ uname -mrs
Linux 3.13.0-24-generic x86_64

Installing a pre-requisite package:

bios@bios-VirtualBox:~$ sudo apt-get install dwarfdump

Creating vtypes:

Some of you might have encountered this issue while creating the vtypes.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux$ make
make -C //lib/modules/3.13.0-24-generic/build CONFIG_DEBUG_INFO=y M=/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux modules
make[1]: Entering directory `/usr/src/linux-headers-3.13.0-24-generic’
  CC [M]  /home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o
/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.c:70:33: fatal error: linux/net_namespace.h: No such file or directory
 #include <linux/net_namespace.h>
compilation terminated.
make[2]: *** [/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux/module.o] Error 1
make[1]: *** [_module_/home/h1dd3ntru7h/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.2/tools/linux] Error 2
make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-24-generic’
make: *** [dwarf] Error 2

This is not the right way of doing this. Here is the solution, follow the steps properly.

bios@bios-VirtualBox:~/Desktop/volatility-2.3.1$ cd tools/linux

bios@bios-VirtualBox:~$ sudo chown -R bios Desktop/volatility-2.3.1/tools/linux/


Now make:


Now you should not get any errors at the end of the make.

bios@bios-VirtualBox:~/Desktop/volatility-2.3.1/tools/linux$ make

make -C //lib/modules/3.5.0-49-generic/build CONFIG_DEBUG_INFO=y M=/home/bios/Desktop/volatility-2.3.1/tools/linux modules

make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’

CC [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.o

Building modules, stage 2.

MODPOST 1 modules

CC /home/bios/Desktop/volatility-2.3.1/tools/linux/module.mod.o

LD [M] /home/bios/Desktop/volatility-2.3.1/tools/linux/module.ko

make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’

dwarfdump -di module.ko > module.dwarf

make -C //lib/modules/3.5.0-49-generic/build M=/home/bios/Desktop/volatility-2.3.1/tools/linux clean

make[1]: Entering directory `/usr/src/linux-headers-3.5.0-49-generic’

CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/.tmp_versions

CLEAN /home/bios/Desktop/volatility-2.3.1/tools/linux/Module.symvers

make[1]: Leaving directory `/usr/src/linux-headers-3.5.0-49-generic’


Making the Profile:

 Go to the /boot directory and create a profile by zipping the kernel file.

bios@bios-VirtualBox:/boot$ ls -l

total 48888

-rw-r–r– 1 root root 848290 Jan 25 2013 abi-3.5.0-23-generic

-rw-r–r– 1 root root 853859 May 3 03:16 abi-3.5.0-49-generic

-rw-r–r– 1 root root 147880 Jan 25 2013 config-3.5.0-23-generic

-rw-r–r– 1 root root 148168 May 3 03:16 config-3.5.0-49-generic

drwxr-xr-x 3 root root 12288 May 22 10:42 grub

-rw-r–r– 1 root root 15543822 May 2 14:44 initrd.img-3.5.0-23-generic

-rw-r–r– 1 root root 15694176 May 22 10:42 initrd.img-3.5.0-49-generic

-rw-r–r– 1 root root 176764 Nov 27 2011 memtest86+.bin

-rw-r–r– 1 root root 178944 Nov 27 2011 memtest86+_multiboot.bin

-rw——- 1 root root 3023265 Jan 25 2013

-rw——- 1 root root 3025898 May 3 03:16

-rw-r–r– 1 root root 5189248 Aug 2 2013 vmlinuz-3.5.0-23-generic

-rw——- 1 root root 5191616 May 3 03:16 vmlinuz-3.5.0-49-generic

bios@bios-VirtualBox:~$ sudo zip Desktop/volatility-2.3.1/volatility/plugins/overlays/linux/ Desktop/volatility-2.3.1/tools/linux/module.dwarf /boot/

updating: Desktop/volatility-2.3.1/tools/linux/module.dwarf (deflated 90%)

adding: boot/ (deflated 79%)


Checking the installation:


If everything goes smooth without any error then you are done with creating Linux profile. Hurray! Now you can check, whether everything went in your way!

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “linux”

Volatility Foundation Volatility Framework 2.3.1

linux_arp – Print the ARP table

linux_banner – Prints the Linux banner information

linux_bash – Recover bash history from bash process memory

linux_check_afinfo – Verifies the operation function pointers of network protocols

linux_check_creds – Checks if any processes are sharing credential structures

linux_check_evt_arm – Checks the Exception Vector Table to look for syscall table hooking

linux_check_fop – Check file operation structures for rootkit modifications

linux_check_idt – Checks if the IDT has been altered


You could see the plugins listed out, which confirms the building the linux profile.


Checking for the Linux profile version:


h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ vol3 –info | grep “Linux”

Volatility Foundation Volatility Framework 2.3.1

linux_banner – Prints the Linux banner information

linux_yarascan – A shell in the Linux memory image

LinuxUbuntu1204x64 – A Profile for Linux Ubuntu1204 x64

Linuxubuntu-14_04-desktop-amd64_3_13_0-24-genericx64 – A Profile for Linux ubuntu-14.04-desktop-amd64_3.13.0-24-generic x64

If you face any issues while building the Linux Profile, will help you out in fixing it. Let me know through the comments.


Installing Volatility in Ubuntu

Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.

[Update] You can also refer to Volatility’s github for the latest updates about dependencies.

Step 1: Installing dependencies

h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Step 2: Installing PyCrypto

You can either use pip to install the library or you can download the source from here and install.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python build

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python build install

Step 3: Installing Distrom

Distrom is a disassemble library for x86/AMD64. You can download the source from here.

h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip

h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python build

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python build install

Step 4: Installing Yara

Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.

h1dd3ntru7h@bi0s:~/Apps$ wget

h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install

Step 5: Installing Yara Python

Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python build

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python build install

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig

We are done with installing the dependencies, now  will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python build

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python build install

This will complete the installation and if everything went in the right way, then you should get a similar stdout,

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.

  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file

Encryption and Decryption using gpg

GPG stands for GNU Privacy Guard, which is a command line tool and a free implementation of  the OpenPGP standard. It allows us to encrypt and decrypt various data. The tool comes handy during  message or file transfer. It allows us to have a pair of keys namely Public and Private Keys, which  falls under stream of  Asymmetric Key Cryptography. By using these techniques, we can forget the nightmare of  data privacy. That means, you can be confident, that others, except the recipient can not read the message, which is sent by you. Even if the file is passed over the network, and if anyone tampers your file, it will  not be an easy task, to decrypt the encrypted files, without the Private Key of the recipient. This technique makes sure,of secure file transfer between the communicating parties.

Process :

Consider two devils Sow and Bow want to share a secret file. Using gpg tool Sow and Bow will create their own pair of Private and Public Keys. If Sow wants to send a encrypted file to Bow, she will use Bow’s public key (which will be shared in common) to encrypt the file. On the other side, Bow will use her private key to decrypt the file which is sent by Sow and vice-versa. Private key is the pass-phrase, which is confidential and it is private only to the user who created it. It shouldn’t be shared. Public key can be made public. It has to be made public so that the other party who wants to share a file with you can encrypt the file.


Generating the Key Pairs:

Follow the below steps for creating a Public and Private Key. Private Key is the pass-phrase which you are going to give during the Public-Key generation. I gave my key to be encrypted as RSA and you can choose your own choice.

shankie@ubuntu:~$ gpg --gen-keygpg

(GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.There is NO WARRANTY,
to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Your selection? 1

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days<n>
w = key expires in n weeks<n>
m = key expires in n months<n>

<strong>y = key expires in n yearsKey is valid for? (0)</strong>

Key does not expire at all

Is this correct? (y/N) y

You need a user ID to identify your key;
the software constructs the user ID from
the Real Name, Comment and Email Address in this
form:"Heinrich Heine (Der Dichter) <>"

Real name: Shankar Raman.R

Email address:

Comment: Private-Public Key using GPG

You selected this USER-ID:"Shankar Raman.R
(Private-Public Key using GPG) <>
<strong>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o</strong>
You need a Passphrase to protect your secret key.

can't connect to server: ec=255.16777215gpg: problem with the agent -
disabling agent useWe need to generate a lot of random bytes.
It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks)
during the prime generation;
this gives the random numbergenerator a better chance to gain enough entropy
We need to generate a lot of random bytes. It is a good idea to performsome other action
(type on the keyboard, move the mouse, utilize thedisks) during the prime generation;
this gives the random numbergenerator a better chance to gain enough entropy
key 9FA49BD0 marked as ultimately trustedpublic and secret key created
and signed.gpg: checking the trustdbgpg: 3 marginal(s) needed, 1 complete(s) needed,
PGP trust modelgpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3upub
2048R/9FA49BD0 2013-01-07Key fingerprint = D3E5 39B0 E4B3 C06C A68E  13E4 6994 5DF6 9FA4 9BD0uid
Shankar Raman.R (Private-Public Key using GPG) <>
sub   2048R/0385B97F 2013-01-07

 Exporting the Public Key

This will be your public key, and this key will be used by the other people to send encrypted files to you. You need your email id as an argument for generation of Public Key.

shankie@ubuntu:~$ gpg --export > Shanky-Public_k3y.gpg

Importing Public Key:

First step of encryption is, importing the recipients Public Key. Assuming Bow’s public key is BOW.gpg, and importing can be done by

shankie@ubuntu:~$ gpg --import > BOW.gpg

Encryption  :

After importing the the Public Key of the recipient, we can now encrypt the message to be sent. Assuming Sow wants to send a file named rchan.txt. Remember encryption is achieved only with the Public Key of the recipient.

shankie@ubuntu:~$ gpg  --recipient BOW.gpg --armor --encrypt rchan.txt


After executing the above command, an encrypted file will be created namely “chan.txt.asc”. Sow will now send the encrypted file to Bow through email or by sharing or anything. Once Bow receives the Encrypted file, she will use her private key (The pass-phrase which you gave for generating the Public Key) to decrypt the file and finally she unravels the original file, which Sow has sent! Use this command to decrypt the file.

shankie@ubuntu:~$ gpg --decrypt rchan.txt.asc > bit.txt

How to install TrID scanner in Windows and Ubuntu

TrID Scan

Usually in Forensics analysis the first step in solving an issue will be identifying the file type. I am using Ubuntu and always I will use the file command to identify the types. But, it will not identify many of the file types. It may be useful for normal users, but I don’t think this will suffice for Forensics Analysis. When I was going through the CodeGate’12 CTF blog from Leet More I noticed the TrID Scan tool used for a Forensics challenge. Cool… first time I am seeing a file identifier tool after using “file” command (Ubuntu) for a long time. I downloaded a Win32 application file of it, from the website . I couldn’t make it run properly. I was stuck there for few days. Later when, I checked the version of the downloaded file, it was v1.56, too old :(. Whenever I scanned a file it popped this error message.

C:\Documents and Settings\hiddentruth\Desktop>tridscan.exe "B704361ACF90390C17F6103DF4811E2D(1)"
TrID/32 - Scan Module v1.56 - (C) 2003-04 By M.Pontello
Checking files...
* Error: You need to scan at least 2 files (the more, the better!),
or refine an existing def

After few days I came to know about that there is a Linux version for this application with version 2.11. For Windows users the newest version is 2.10. Please click here to download the application. This didn’t popped any error messages :D. Make sure that you are downloading the update files also. Each time new file signatures will be released in the sites. Periodically update the application from the update files posted in the site. If you are a Linux user, download the TrIDUpate pack, in this case it will be a python file and if you are a Windows user download the TriDDefs pack, in this case it will be a tr definition file. P.S: If you are not downloading and running the aforementioned files, this tool will not work.

For Linux Users,

Step 1: Unzip the downloaded file.

shankie@ubuntu:~/Desktop/TrID$ unzip


inflating: readme_e.txt

inflating: readme_i.txt

inflating: trid

Step 2: Run the update file.

shankie@ubuntu:~/Desktop/TrID$ python

Checking last version online...

MD5: 1b4425710507d86b0370896fe2e67cc3

Downloading new defs...

Checking defs integrity...


Step 3: Change the permissions

shankie@ubuntu:~/Desktop/TrID$ chmod +x trid

Step 4: Example

shankie@ubuntu:~/Desktop/TrID$ ./trid B704361ACF90390C17F6103DF4811E2D

TrID/32 - File Identifier v2.11 - (C) 2003-11 By M.Pontello

Definitions found: 4931


Collecting data from file: B704361ACF90390C17F6103DF4811E2D

100.0% (.E01) EnCase Forensic Drive Image (3006/2)

For Windows Users,

Step 1: Extract the downloaded files (trid and triddefs.trd) into a Folder.

Step 2: Open CMD and execute the file.

C:\Documents and Settings\hiddentruth>cd Desktop

C:\Documents and Settings\hiddentruth\Desktop>cd TrID

C:\Documents and Settings\hiddentruth\Desktop\TrID>trid.exe


TrID/32 - File Identifier v2.10 - (C) 2003-11 By M.Pontello

Definitions found: 4931


Collecting data from file: B704361ACF90390C17F6103DF4811E2D

100.0% (.E01) EnCase Forensic Drive Image (3006/2)