[opensuse-factory] Forensics: Volatility3 with TW
Hi, when starting to explore Forensics[0] this week, I stumbled upon a tool called Volatility[1]. It appears to be a pretty advanced volatile memory (aka RAM) extraction framework, that allows to examine memory dumps of Windows, MacOS and Linux, and is being used in all kinds of forensic tasks. Since Volatility is written in Python 2, that creates some trouble on TW. Luckily, the creators of this masterpiece have rewritten the framework to use Python 3, which is known as Volatility3[2]. Using this framework to examine TW (and Leap) installations, it takes a couple of steps: 1) a memory dump 2) a memory profile (kernel symbols and data types) 3) volatility3 1: the best way to produce a complete memory dump seems to be LiME[3], as being available here [4] (submitted to security:forensics). If you know alternatives, let us know. An inquiry on opensuse-kernel@opensuse.org remained unanswered. 2: A new tool dwarf2json[5] was created for Vol3 to produce a memory profile, what they call an Intermediate Symbol File (ISF), that usually is generated from a Linux kernel debug build. It's available in security:forensics[6] and on its way into TW. Unfortunately, that's failing[7] so far. 3: Volatility3 and updated dependencies are available in security:forensic[8] and the updates were submitted to TW. Any ideas, how to eliminate the road block with dwarf2json[7] are much appreciated. I think, it is worth discussing the topic now in order to be prepared for an emergency later on. Happy examination, Pete [0] https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/ CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF [1] https://github.com/volatilityfoundation/volatility [2] https://github.com/volatilityfoundation/volatility3 [3] https://github.com/504ensicsLabs/LiME [4] https://build.opensuse.org/package/show/home:frispete:kernel/lime-kmp [5] https://github.com/volatilityfoundation/dwarf2json [6] https://build.opensuse.org/package/show/security:forensics/dwarf2json [7] https://github.com/volatilityfoundation/dwarf2json/issues/24 [8] https://build.opensuse.org/project/show/security:forensics -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (1)
-
Hans-Peter Jansen