Conducting memory analysis with Volatility3 against a Linux or macOS RAM capture, requires of an investigator to acquire appropriate kernel debugging information. As a compiled kernel produces a unique copy of this data, it can sometimes be tedious to access, manipulate, and transform it into the universal JSON Intermediate Symbol File format (required by Volatility3).
To save time, CPU, and bandwidth across the world, this repository contains a collection of ISF, generated against kernel sources from the most popular kernel distributions.
Place every compressed symbol file you plan to use inside your <volatility3_installation>/volatility3/symbols/linux/ directory (create it if it doesn't exist).
Explore the banners/banners_plain.json file to match banners and symbols quickly, or navigate manually through the directories using the GitHub UI.
After receiving a memory sample to analyze, we need to determine the kernel version and OS running on the machine at capture time :
forensic-machine@analyst:~$ python3 vol.py -r pretty -f sample.bin banners
| Offset | Banner
* | 0x1400070 | Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2We identified a Linux Debian kernel, and thanks to the Linux banner, we can search in this repository if the ISF was already generated. To do so, we can grab the banners_plain.json mapping file :
forensic-machine@analyst:~$ wget https://raw.githubusercontent.com/Abyss-W4tcher/volatility3-symbols/master/banners/banners_plain.json
forensic-machine@analyst:~$ grep -A 2 'Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2' banners_plain.json
"Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2": [
"Debian/amd64/3.2.0/4/Debian_3.2.0-4-amd64_3.2.57-3+deb7u2_amd64.json.xz"
],We got a match π ! Now, we can easily download the appropriate ISF directly in the Volatility3 symbols directory :
# Create <volatility3_installation>/volatility3/symbols/linux/ beforehand if it doesn't exist
forensic-machine@analyst:~$ wget https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/Debian/amd64/3.2.0/4/Debian_3.2.0-4-amd64_3.2.57-3+deb7u2_amd64.json.xz -P <volatility3_installation>/volatility3/symbols/linux/The setup is now ready for memory analysis.
If you didn't get any match, please refer to the FAQ or the Volatility3 documentation to help you generate the ISF manually. π¦Ύ
| Distribution | Path | Symbols | Example |
|---|---|---|---|
| Ubuntu | Ubuntu/<architecture>/<base-kernel-version>/<ABI>/<kernel-flavour>/ | Ubuntu_<kernel-version>_<package-revision>_<architecture>.json.xz | Ubuntu/amd64/4.4.0/22/generic/Ubuntu_4.4.0-22-generic_4.4.0-22.40~14.04.1_amd64.json.xz |
| Debian | Debian/<architecture>/<base-kernel-version>/<ABI>/<kernel-flavour>/ | Debian_<kernel-version>_<package-revision>_<architecture>.json.xz | Debian/amd64/3.1.0/1/Debian_3.1.0-1-amd64_3.1.1-1_amd64.json.xz |
| KaliLinux | KaliLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/ | KaliLinux_<kernel-version>_<package-revision>_<architecture>.json.xz | KaliLinux/amd64/5.2.0/KaliLinux_5.2.0-kali2-amd64_5.2.9-2kali1_amd64.json.xz |
| AlmaLinux | AlmaLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/ | AlmaLinux_<kernel-version>_<architecture>.json.xz | AlmaLinux/x86_64/4.18.0/AlmaLinux_4.18.0-477.13.1.el8_8_x86_64.json.xz |
| RockyLinux | RockyLinux/<architecture>/<base-kernel-version>/<kernel-flavour>/ | RockyLinux_<kernel-version>_<architecture>.json.xz | RockyLinux/x86_64/4.18.0/RockyLinux_4.18.0-477.10.1.el8_8_x86_64.json.xz |
| macOS | macOS/<version-prefixed>/ | macOS_KDK_<macOS-version>_build-<build>_<arch-if-mach-kernel>.json.xz | macOS/14.0/macOS_KDK_14.0_build-23A5257q.json.xz |
- Some distributions are missing, do you plan to add them anytime soon ?
Adding a new distribution is not particularly an issue, and I'd like to include as much as I can. However, I do not want to push the repository size too far, to avoid a potential removal by GitHub.
- I can't find a specific kernel release in your repository, is there a way to generate the ISF manually ?
Depending on the release policy of a kernel vendor, some versions might be considered "experimental" or "unstable", hence never making it to the "official" debug repositories (or at least not for a long time).
Take a look at the symbols_finders/ directory, to help you find kernel packages not available in this repository or in the classic editor sources.
Kernel debug symbols for macOS are fetched from : https://developer.apple.com/download/all. However, as Apple does not provide every build, some versions aren't available in this repository. Here are some discussions about it :
Volatility3 provides a new feature allowing users to specify a remote symbols source to be queried when analyzing a memory dump. To test this feature in your local installation, run the following commands :
VOLATILITY3_PATH=/path/to/volatility3_install/ # Edit accordingly
sed -i 's@REMOTE_ISF_URL = None@REMOTE_ISF_URL = "https://github.com/Abyss-W4tcher/volatility3-symbols/raw/master/banners/banners.json"@g' "$VOLATILITY3_PATH/volatility3/framework/constants/__init__.py"A similar project for Volatility2 profiles is available here : https://github.com/Abyss-W4tcher/volatility2-profiles
EZ Volatility install script : https://github.com/Abyss-W4tcher/volatility-scripts/tree/master/vol_ez_install
