As I mentioned in the post last week I downloaded remnux to run volatility 2 or 3 for the memory image provided at BSides Idaho Falls.
After executing volatility the first time it will state that the symbol files need to be installed. If you go to https://docs.remnux.org/discover-the-tools/perform+memory+forensics it talks about where to download the symbol files. However the installation path is incorrect for remnux 7 that is listed.
If you execute the command "vol3 -vvv -f <mem image file> windows.info.Info", the path where it is looking for the symbol files will show as /usr/local/lib/python3.8/dist-packages/volatility3/framework/symbols or /usr/local/lib/python3.8/dist-packages/volatility3/symbols. I observed that the 2nd directory does not exist and did not work when I created it... I did not look into why...
My initial file that I downloaded was dfrws2005-physical-memory1.dmp. As I loaded it with vol3 it kept returning that I did not have the symbols loaded. I was becoming a little frustrated then I tried a memory image from the Malware Analysts Handbook and it worked. I observed that it will attempt to find a symbol file but depending on the memory image vol3 did not work so I fell back to vol2.py.
Then I was able to run the variety of plugins available. You can see the plugins available by default by executing:
vol3 -f <mem image file> -h
Here is a list of memory images available: https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Symbols File Updates: https://github.com/volatilityfoundation/volatility3#symbol-tables
No comments:
Post a Comment