Skip to content

cid404/dm_dump

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 

Repository files navigation

This plugin essentially emulates the behavior of the "dmsetup table --showkeys" command, which dumps information about every device mounted on the using the device-mapper framwork. Unlike the output of this command, the output of the dm_dump plugin is precisely the information needed (and presented in the correct syntax) to remount these devices using the "dmsetup create" command. That is, in many cases, given a memory dump from a Linux system using full disk encryption and access to the disk, the output of this plugin gives you the arguments to pass to the dmsetup command to remount the original unencrypted file system on a different machine.

While the plugin currently only supports the dm-crypt and dm-linear targets, all target specific information is contained in a single struct, so adding support for new targets is just a matter of gathering profile information for the struct and determining which information needs to be extracted and how it must be presented (which I just didn't have the time to do). The device-mapper framework is also used in Android (with the dm-crypt target also being used for full-disk encryption) so I think that of the correct profile information is generated, this plugin will also work for Android memory dumps, though I haven't tried it.

The plugin works by traversing the internal data structures used by device-mapper to keep track of its devices (see http://lxr.free-electrons.com/source/drivers/md/dm-ioctl.c?v=3.13#L1096), and as such depends on struct offset information which is not provided by the existing Volatility profile generation mechanism. This additional profile must be collected by the user and specified at runtime via the --dm-profile option. My profile generation mechanism (found in the included dm_profile_gen directory) is adapted from the original and I think it would be fairly straight forward to merge my code into the existing mechanism. The plugin does depend on some structs which are not defined in header files, but I have identified the different versions of those structs and included with checks being made against the kernel version to determine which version of the structs to use. 

The plugin can be run with a command like:
python vol.py linux_dm_dump --profile=Linux3_11_0-15-generic-i686x86 --dm_profile=3.11.0-15-generic-i686-dm.dwarf -f 3.11.0-15-generic-i686.elf

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 88.9%
  • Python 11.1%