alternate output directories, check for root, et al

halpomeranz · Jan 12, 2016 · c5e8c07 · c5e8c07
1 parent 9652e0c
commit c5e8c07
Show file tree

Hide file tree

Showing 2 changed files with 196 additions and 111 deletions.
diff --git a/README b/README
@@ -1,6 +1,6 @@
 Linux Memory Grabber
 A script for dumping Linux memory and creating Volatility(TM) profiles.
-Hal Pomeranz (hal@deer-run.com), 2014-03-29
+Hal Pomeranz (hal@deer-run.com), 2016-01-12
 
 THANKS!
 =======
@@ -24,6 +24,13 @@ little tool possible:
    to capture Windows memory, I know of no easier to use tool).
    So thanks for the inspiration, Matt!
 
+-- People who have provided ideas and code to make the tool better:
+
+       Julien -- Alternate output/build directories and case ID labels, 
+           abort if not running as root
+       Jonathon Poling -- similar ideas to Julien's
+       Jeff Bryner -- Creating volatilityrc files for each capture
+
 The community is better for all of these efforts.  I have chosen to make
 my tool available under the Creative Commons "Attribution" License (CC BY),
 in order to make it as widely available as possible.
@@ -87,12 +94,12 @@ Dependencies -- In order to compile kernel code on Linux, the target
   machine needs a working development environment with gcc, make, etc 
   and all of the appropriate include files and shared libraries.
   And in particular, the kernel header files need to be present on
-  the local machine.  These dependencies may not exist on the target
-  system.  In this case, the user is faced with the choice of installing
+  the local machine.  These dependencies may not exist on the target.
+  In this case, the user is faced with the choice of installing
   the appropriate dependencies (if possible) or being unable to
   acquire memory from the target.
 
-Malware -- lmg uses /bin/bash, gcc, and a host of other programs from
+Malware -- lmg uses /bin/bash, gcc, zip, and a host of other programs from
   the target machine.  If the system has been compromised, the applications
   lmg uses may not be trustworthy.  A more complete solution would be
   to create a secure execution environment for lmg on the portable USB
@@ -113,6 +120,11 @@ of the target machine.  If found, lmg will not bother to recompile.
 Similarly, you may choose to not have lmg create the Volatility(TM)
 profile for the target in order to minimize the impact on the target system.
 
+lmg uses relative path names when invoking programs like gcc and zip.
+So if you wish to run these programs from alternate media, simply update
+$PATH as appropriate before running lmg.
+
+
 USING LMG
 =========
 
@@ -133,16 +145,30 @@ a new directory on the thumb drive named
 
    ".../capture/<hostname>-YYYY-MM-DD_hh.mm.ss"
 
-In this directory you will find:
+lmg supports a -c option for specifying a case ID directory name to be
+used instead of the default "<hostname>-YYYY-MM-DD_hh.mm.ss" directory.
+
+Whatever directory name is used, the directory will contain:
 
    <hostname>-YYYY-MM-DD_hh.mm.ss-memory.lime  -- the RAM capture
    <hostname>-YYYY-MM-DD_hh.mm.ss-profile.zip  -- Volatility(TM) profile
    <hostname>-YYYY-MM-DD_hh.mm.ss-bash         -- copy of target's /bin/bash
+   volatilityrc                                -- prototype Volatility config file
+
+The volatilityrc file defines the appropriate locations for the captured
+memory and plugin. See the USAGE EXAMPLE below for how to use this file.
 
 The copy of /bin/bash is helpful for determining the address of the shell 
 history data structure in the memory of bash processes in the memory capture.
 See http://code.google.com/p/volatility/wiki/LinuxCommandReference23#linux_bash
-for further details on how to use this executable.
+for further details on how to use this executable (or reference the USAGE EXAMPLE
+below).
+
+Note that there may be times when you do not wish to write data to the media
+that you are running lmg from-- for example if the lmg tools are on read-only
+media like a DVD-ROM. lmg supports a -d option to specify a different output
+directory. By default, all compilation will happen in the target directory,
+but the user may specify an alternate compilation directory with -B.
 
 
 USAGE EXAMPLE
@@ -166,8 +192,8 @@ caribou# mount /dev/sdb1 /mnt/usb
 --------------
 
 caribou# /mnt/usb/lmg -y
-make -C /lib/modules/3.2.0-41-generic/build M=/mnt/usb/lime/src modules
-make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic'
+make -C /lib/modules/3.13.0-37-generic/build M=/mnt/usb/lime/src modules
+make[1]: Entering directory `/usr/src/linux-headers-3.13.0-37-generic'
   CC [M]  /mnt/usb/lime/src/tcp.o
   CC [M]  /mnt/usb/lime/src/disk.o
   CC [M]  /mnt/usb/lime/src/main.o
@@ -176,89 +202,77 @@ make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic'
   MODPOST 1 modules
   CC      /mnt/usb/lime/src/lime.mod.o
   LD [M]  /mnt/usb/lime/src/lime.ko
-make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-41-generic'
+make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-37-generic'
 strip --strip-unneeded lime.ko
-mv lime.ko lime-3.2.0-41-generic-x86_64.ko
+mv lime.ko lime-3.13.0-37-generic-x86_64.ko
 make tidy
 make[1]: Entering directory `/mnt/usb/lime/src'
 rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
 rm -rf \.tmp_versions
 make[1]: Leaving directory `/mnt/usb/lime/src'
-Dumping memory in "lime" format to /mnt/usb/capture/caribou-2014-03-29_12.06.01
-This could take a while...Done! Cleaning up...Done!
+LiME module is /mnt/usb/lime/src/lime-3.13.0-37-generic-x86_64.ko
+Dumping memory in "lime" format to /mnt/usb/capture/caribou-2016-01-12_14.32.41
+This could take a while...Done!
+Cleaning up...Done!
 Grabbing a copy of /bin/bash...Done!
-make -C //lib/modules/3.2.0-41-generic/build CONFIG_DEBUG_INFO=y M=/mnt/usb/volatility-2.3.1/tools/linux modules
-make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic'
-  CC [M]  /mnt/usb/volatility-2.3.1/tools/linux/module.o
-  Building modules, stage 2.
-  MODPOST 1 modules
-  CC      /mnt/usb/volatility-2.3.1/tools/linux/module.mod.o
-  LD [M]  /mnt/usb/volatility-2.3.1/tools/linux/module.ko
-make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-41-generic'
+Writing volatilityrc to /mnt/usb/capture/caribou-2016-01-12_14.32.41...Done!
+make -C //lib/modules/3.13.0-37-generic/build M="/mnt/usb/volatility-2.4/tools/linux" clean
+make[1]: Entering directory `/usr/src/linux-headers-3.13.0-37-generic'
+make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-37-generic'
+rm -f module.dwarf
+make -C //lib/modules/3.13.0-37-generic/build CONFIG_DEBUG_INFO=y M="/mnt/usb/volatility-2.4/tools/linux" modules
+make[1]: Entering directory `/usr/src/linux-headers-3.13.0-37-generic'
+  CC [M]  /mnt/usb/volatility-2.4/tools/linux/module.o
+  CC      /mnt/usb/volatility-2.4/tools/linux/module.mod.o
+  LD [M]  /mnt/usb/volatility-2.4/tools/linux/module.ko
+make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-37-generic'
 dwarfdump -di module.ko > module.dwarf
-make -C //lib/modules/3.2.0-41-generic/build M=/mnt/usb/volatility-2.3.1/tools/linux clean
-make[1]: Entering directory `/usr/src/linux-headers-3.2.0-41-generic'
-  CLEAN   /mnt/usb/volatility-2.3.1/tools/linux/.tmp_versions
-  CLEAN   /mnt/usb/volatility-2.3.1/tools/linux/Module.symvers
-make[1]: Leaving directory `/usr/src/linux-headers-3.2.0-41-generic'
+make -C //lib/modules/3.13.0-37-generic/build M="/mnt/usb/volatility-2.4/tools/linux" clean
+make[1]: Entering directory `/usr/src/linux-headers-3.13.0-37-generic'
+  CLEAN   /mnt/usb/volatility-2.4/tools/linux/.tmp_versions
+  CLEAN   /mnt/usb/volatility-2.4/tools/linux/Module.symvers
+make[1]: Leaving directory `/usr/src/linux-headers-3.13.0-37-generic'
   adding: module.dwarf (deflated 90%)
-  adding: boot/System.map-3.2.0-41-generic (deflated 79%)
-caribou# ls /mnt/usb/capture/caribou-2014-03-29_12.06.01/
-caribou-2014-03-29_12.06.01-bash
-caribou-2014-03-29_12.06.01-memory.lime
-caribou-2014-03-29_12.06.01-profile.zip
-
-
-3) Check for the new profile
-----------------------------
-
-caribou# export VOLATILITY_PLUGINS=/mnt/usb/capture/caribou-2014-03-29_12.06.01
-caribou# /mnt/usb/volatility-2.3.1/vol.py --info | grep Linux
-Volatility Foundation Volatility Framework 2.3.1
-linux_banner            - Prints the Linux banner information
-linux_yarascan          - A shell in the Linux memory image
-Linuxcaribou-2014-03-29_12_06_01-profilex64 - A Profile for Linux caribou-2014-03-29_12.06.01-profile x64
-
-
-4) Choose the new profile and memory capture, run linux_pslist to test
-----------------------------------------------------------------------
-
-caribou# export VOLATILITY_PROFILE=Linuxcaribou-2014-03-29_12_06_01-profilex64
-caribou# export VOLATILITY_LOCATION=file:///mnt/usb/capture/caribou-2014-03-29_12.06.01/caribou-2014-03-29_12.06.01-memory.lime
-caribou# /mnt/usb/volatility-2.3.1/vol.py linux_pslist
-Volatility Foundation Volatility Framework 2.3.1
-Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------- -------------------- --------------- --------------- ------ ------------------ ----------
-0xffff88022e0e8000 init                 1               0               0      0x0000000228f73000 2014-03-29 14:10:23 UTC+0000
-0xffff88022e0e9700 kthreadd             2               0               0      ------------------ 2014-03-29 14:10:23 UTC+0000
-0xffff88022e0eae00 ksoftirqd/0          3               0               0      ------------------ 2014-03-29 14:10:23 UTC+0000
-[... more output not shown ...]
+  adding: boot/System.map-3.13.0-37-generic (deflated 79%)
+
+
+3) Running linux_banner plugin to test capture, leveraging the prototype volatilityrc
+-------------------------------------------------------------------------------------
+
+caribou# /mnt/usb/volatility-2.4/vol.py --conf-file=/mnt/usb/capture/caribou-2016-01-12_14.32.41/volatilityrc linux_banner
+Volatility Foundation Volatility Framework 2.4
+Linux version 3.13.0-37-generic (buildd@kapok) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #64-Ubuntu SMP Mon Sep 22 21:28:38 UTC 2014 (Ubuntu 3.13.0-37.64-generic 3.13.11.7)
 
 
-5) Use the captured copy of /bin/bash to dump shell history with linux_bash
+4) Use the captured copy of /bin/bash to dump shell history with linux_bash
 ---------------------------------------------------------------------------
 
-caribou# gdb /mnt/usb/capture/caribou-2014-03-29_12.06.01/caribou-2014-03-29_12.06.01-bash 
-GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
-Copyright (C) 2012 Free Software Foundation, Inc.
+caribou# gdb /mnt/usb/capture/caribou-2016-01-12_14.32.41/caribou-2016-01-12_14.32.41-bash 
+GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
+Copyright (C) 2014 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
-<http://bugs.launchpad.net/gdb-linaro/>...
-Reading symbols from /mnt/usb/capture/caribou-2014-03-29_12.06.01/caribou-2014-03-29_12.06.01-bash...(no debugging symbols found)...done.
-(gdb) disass history_list
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from /mnt/usb/capture/caribou-2016-01-12_14.32.41/caribou-2016-01-12_14.32.41-bash...(no debugging symbols found)...done.
+(gdb) disassemble history_list
 Dump of assembler code for function history_list:
-   0x00000000004a53f0 <+0>:	mov    0x2490c9(%rip),%rax        # 0x6ee4c0
-   0x00000000004a53f7 <+7>:	retq   
+   0x00000000004aedb0 <+0>:	mov    0x24e861(%rip),%rax        # 0x6fd618
+   0x00000000004aedb7 <+7>:	retq   
 End of assembler dump.
 (gdb) quit
-caribou# vol.py linux_bash -H 0x6ee4c0 -P
-Volatility Foundation Volatility Framework 2.3.1
+caribou# /mnt/usb/volatility-2.4/vol.py --conf-file=/mnt/usb/capture/caribou-2016-01-12_14.32.41/volatilityrc linux_bash -H 0x6fd618 | head
+Volatility Foundation Volatility Framework 2.4
 Pid      Name                 Command Time                   Command
 -------- -------------------- ------------------------------ -------
-    2604 bash                 2014-03-29 14:11:17 UTC+0000   cat workshop-outline 
-    2604 bash                 2014-03-29 14:11:17 UTC+0000   sigfind -b 4096 006D6C6F6361 /dev/mapper/RD-var
+    4157 bash                 2016-01-12 17:42:55 UTC+0000   cd vss
+    4157 bash                 2016-01-12 17:42:55 UTC+0000   unzip Security_evtx.csv.zip 
 [... more output not shown ...]