No description, website, or topics provided.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


This plugin essentially emulates the behavior of the "dmsetup table --showkeys" command, which dumps information about every device mounted on the using the device-mapper framwork. Unlike the output of this command, the output of the dm_dump plugin is precisely the information needed (and presented in the correct syntax) to remount these devices using the "dmsetup create" command. That is, in many cases, given a memory dump from a Linux system using full disk encryption and access to the disk, the output of this plugin gives you the arguments to pass to the dmsetup command to remount the original unencrypted file system on a different machine.

While the plugin currently only supports the dm-crypt and dm-linear targets, all target specific information is contained in a single struct, so adding support for new targets is just a matter of gathering profile information for the struct and determining which information needs to be extracted and how it must be presented (which I just didn't have the time to do). The device-mapper framework is also used in Android (with the dm-crypt target also being used for full-disk encryption) so I think that of the correct profile information is generated, this plugin will also work for Android memory dumps, though I haven't tried it.

The plugin works by traversing the internal data structures used by device-mapper to keep track of its devices (see, and as such depends on struct offset information which is not provided by the existing Volatility profile generation mechanism. This additional profile must be collected by the user and specified at runtime via the --dm-profile option. My profile generation mechanism (found in the included dm_profile_gen directory) is adapted from the original and I think it would be fairly straight forward to merge my code into the existing mechanism. The plugin does depend on some structs which are not defined in header files, but I have identified the different versions of those structs and included with checks being made against the kernel version to determine which version of the structs to use. 

The plugin can be run with a command like:
python linux_dm_dump --profile=Linux3_11_0-15-generic-i686x86 --dm_profile=3.11.0-15-generic-i686-dm.dwarf -f 3.11.0-15-generic-i686.elf