This page contains links to my projects and some notes. I strive to keep project documentation in the accompanying README files of the projects.
- aiki.go source and honeypot analysis
- vimrc file and list of installed bundles
- Equation Group/ Shadow Brokers analysis
LiME on a DigitalOcean droplet
I was curious about LiME after I saw it mentioned a while back. I tried it on a DigitalOcean droplet and it seems to work. For obvious reasons, IRL you might want to do the building on another system.
On the system I wanted to get a dump from I needed to do a couple of things first. As my testing droplet was running Ubuntu 16.04.2 LTS 4.4.0-72-generic x86_64 I created a custom profile according to the manual. Then I built the LiME kernel module to be loaded.
To get the profile:
git clone https://github.com/volatilityfoundation/volatility.git apt install dwarfdump zip cd volatility/tools/linux make head module.dwarf zip Ubuntu16042`uname -r`.zip ~/volatility/tools/linux/module.dwarf \ /boot/System.map-4.4.0-72-genericTo get the memdump:
git clone https://github.com/504ensicsLabs/LiME.git cd LiME/src/ make insmod ./lime-4.4.0-72-generic.ko "path=tcp:4444 format=lime"
Funnily enough, you actually need to do a
rmmod lime-4.4.0-72-generic if you want to redo the dump.
On the system I analysed the memdump on:
nc 188.nnn.nn.nnn 4444 > memdump.lime sudo cp Ubuntu160424.4.0-72-generic.zip \ /usr/local/lib/python2.7/dist-packages/volatility-2.6-py2.7.egg\ /volatility/plugins/overlays/linux/ vol.py --profile=LinuxUbuntu160424_4_0-72-genericx64 -f memdump.lime linux_pslist Volatility Foundation Volatility Framework 2.6 Offset Name [...] DTB Start Time ------------------ -------- ------------------ ---------- 0xffff88001e230000 systemd [...] 0x000000001cc58000 2017-04-21 15:47:29 UTC+0000 [...]⡗ up⡏top