setup.md

Setup

How to make it start working!

Please set up a Debian 12 VM first, get it at https://www.debian.org/download

and we recommend making a directory called Forensic.

Install necessary packages:

sudo apt update
sudo apt-get install -y build-essential linux-headers-$(uname -r) git
sudo apt-get install -y unzip
sudo apt install golang-go

• Now take the memory dump using Lime, get it at https://github.com/504ensicsLabs/LiME

Installing and building LiME:

cd ~/Forensic
git clone https://github.com/504ensicsLabs/LiME.git
cd ~/Forensic/LiME/src
make clean
make

Loading the LiME kernel module:

sudo insmod lime-$(uname -r).ko "path=/path/to/output.lime format=lime"

Unloading the LiME kernel module after you get the memory dump, important!:

sudo rmmod lime

PLEASE PLEASE MAKE SURE TO Change ownership and permissions of the memory dump and all future memory dumps:

sudo chown user:group /path/to/output.lime
chmod 666 /path/to/output.lime

How to use volatility3 and dwarf2json

So we need to build volatility3 profile using dwarf2json, using both the SystemMap and vmlinux file. Then you should be ready to run volatility3 using the profile and memory dump.

git clone https://github.com/volatilityfoundation/volatility3.git

as a repository or if you want via pip3 as a library!

or install it inside from the git repo after cloning using the setup.py

sudo apt install golang-go
git clone https://github.com/volatilityfoundation/dwarf2json.git
cd dwarf2json
go build
sudo mv dwarf2json /usr/local/bin/

NOW we can finally get a profile!

sudo dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-$(uname -r) --system-map /usr/lib/debug/boot/System.map-$(uname -r) > debian.json

move the profile you built into a folder called profiles. We recommend it!

mv debian.json > ~/Forensic/profiles

The notebook and kernel module

we used code to run our notebook which is a ipynb file. Quickly get VS code here if you dont have it!

sudo apt install software-properties-common apt-transport-https wget
wget -q https://packages.microsoft.com/keys/microsoft.asc -O- | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://packages.microsoft.com/repos/vscode stable main"
sudo apt update
sudo apt install code

Now get our repository if you haven't already:

cd ~/Forensics
git clone https://gitlab.eurecom.fr/veysseyr/forensics_pr3.git
cd forensics_pr3

Just make a new environment for python for best practice , also we need ipykernel in this environment without conflicts.

sudo apt install python3-venv python3-pip
pip install ipykernel 
source venv/bin/activate

after this try running the notebook, it may ask you to install ipyknernel, hopefully you can switch the python environment inside code to the virtual environment one.

we need to install volatility 3 for this new environment. Or you can do it yourself from the repo directly! just make sure your IDE has access to the volatility3 python package.

pip install git+https://github.com/volatilityfoundation/volatility3.git

Now setup your folders inside the development.ipynb notebook in a similar manner.

homedir = "/home/dorkt990"
symboldir = "/home/dorkt990/profiles"
volpypath = "/home/dorkt990/Forensic/volatility3"
datapath = "/home/dorkt990"
dumppath = f"{datapath}/memory_dump.lime"
dumppath_corrupt1 = f"{datapath}/corrupt1_memory_dmp.lime"
dumppath_corrupt2 = f"{datapath}/corrupt2_memory_dmp.lime"
dumppath_moded = f"{datapath}/memory_dmp_moded.lime"
original_path = os.getcwd()

After you should be able to run the notebook and follow the Instructions inside uptil the end of part 1.

Before you start section 2.1 you should follow the section below

Kernel Module

Okay now you basically need to build our user space kernel module.

cd ~/Forensic/LiME/src
make clean
make

Make sure you dont have the module already loaded. Just to be sure.

sudo rmmod swapper_mod

Now use the module!

sudo insmod ./build/swapper_mod.ko

gcc -o build/swapper_user swapper_user.c
sudo ./build/swapper_user

Check your kernel logs to see the swapper device being used and unloaded.

sudo dmesg | tail -n 30

Now remember you need to take a fresh memory dump of your guest VM, which just had it's swapper modified.

cd ~/Forensic/LiME/src
sudo insmod lime-6.1.0-22-amd64.ko path=~/memory_dmp_moded.lime format=lime

Now go back to the notebook, the last part!

After this you should be able to run the last pslist command. you are free to run any other volatility commands as you wish.

We recommend the following plugins for interesting details!:

- linux.pslist
- linux.proc.Map
- linux.check_idt
- linux.check_syscall

Please read the report for more!