Volatility2的部分功能

• In this part, we will introduce some Linux plugins of volatility to analyze the memory file we extracted (either from our local machine or some external machines)

• Before this part, we need to make sure the profile we built matches the target system in Linux distribution, exact kernel version, and CPU architecture (32-bit, 64-bit, etc)

• NOTE：在使用volatility的任何插件时，python命令行都需要带上--profile=

例如下图，我查看生成的Profile，确认了与我获取内存的内核版本一致后；在使用任何插件时，都应在命令行包含--profile=LinuxUbuntu_4_15_0-112-generic_profilex64

查看Linux支持的Plugins

$ python2 vol.py --info  | grep linux

linux_psaux: 查看系统运行的程序

$ python2 vol.py -f ../LiME/dump.mem linux_psaux --profile=<Profile name>

linux_netstat: 查看网络连接状态

$ python2 vol.py -f ../LiME/dump.mem linux_netstat --profile=<Profile name>

linux_mount: which file system were mounted

$ python2 vol.py -f ../LiME/dump.mem linux_mount --profile=<Profile name>

linux_lsmod: what kernel modules were loaded

$ python2 vol.py -f ../LiME/dump.mem linux_lsmod --profile=<Profile name>

linux_bash: 查看Bash command history

$ python2 vol.py -f ../LiME/dump.mem linux_bash --profile=<Profile name>

linux_mount: what files were opened by which processes

$ python2 vol.py -f ../LiME/dump.mem linux_lsof --profile=<Profile name>

Check the Linux plugins scripts

$ ls volatility/plugins/linux/

Open a shell within the memory dump

$ python2 vol.py -f ../LiME/dump.mem linux_volshell --profile=<Profile name> -v