After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done on. The maintainers of the Volatility Project have a repo of pre-built profiles on their page located at https://github.com/volatilityfoundation/profiles/tree/master/Linux. Carnegie Mellon University also has prebuilt profiles as well and they are located at https://forensics.cert.org.
In order to build a profile, following the below instructions. For this demo, I am using a Kali 1.0.9 (Debian) system to build my profile on an Ubuntu system to do the analyzing on.
1) Install dwarfdump. On RedHat(Fedora)-based systems, this can be done by typing ‘yum install dwarfdump’
root@kali:~/Desktop# apt-get install dwarfdump
2) Download the necessary source code to compile the module.dwarf file
root@kali:~/Desktop# svn checkout http://volatility.googlecode.com/svn/trunk/tools/linux ./vol-mem-profile
3) Change directory into the newly created vol-mem-profile directory
root@kali:~/Desktop# cd ./vol-mem-profile
3) Compile the source code, which will create the module.dwarf file
4) Ensure that the module.dwarf file has been created
5) Create the profile by placing the module.dwarf and system.map file into a zip file.
root@kali:~/Desktop/vol-mem-profile# zip Kali.1.0.9.zip ./module.dwarf /boot/System.map-`uname -r`
6) Copy the Kali.1.0.9.zip file to a external drive and plug it into the system that you will do the analyzing on
7) Verify external drive is mounted
root@boom-boom:~# ls /media/
8) Copy the Kali.1.0.9.zip file to the Linux folder nested in the Volatility folder
root@boom-boom:~# cp /media/your_external_drive/Kali.1.0.9.zip /usr/local/src/volatility/volatility/plugins/overlays/linux
9) Ensure Volatility sees the profile
root@boom-boom:~# vol.py --info | grep Linux
10) We are now ready to run Volatality. To do so, you can use the below syntax as an example. For help on available options and what they do, run ‘vol.py –help’
root@boom-boom:~# python vol.py -f --profile= plugin_name