Building a profile for Volatility

After capturing Linux memory using LiME (or your program of choice), we can analyze it using Volatility. In order to do so, you will need to build a profile for Volatility to use. The profile is based on the kernel/version of the system in which the memory capture was done on. The maintainers of the Volatility Project have a repo of pre-built profiles on their page located at https://github.com/volatilityfoundation/profiles/tree/master/Linux. Carnegie Mellon University also has prebuilt profiles as well and they are located at https://forensics.cert.org.
In order to build a profile, following the below instructions. For this demo, I am using a Kali 1.0.9 (Debian) system to build my profile on an Ubuntu system to do the analyzing on.

1) Install dwarfdump. On RedHat(Fedora)-based systems, this can be done by typing ‘yum install dwarfdump’

2) Download the necessary source code to compile the module.dwarf file

3) Change directory into the newly created vol-mem-profile directory


3) Compile the source code, which will create the module.dwarf file

4) Ensure that the module.dwarf file has been created

5) Create the profile by placing the module.dwarf and system.map file into a zip file.

6) Copy the Kali.1.0.9.zip file to a external drive and plug it into the system that you will do the analyzing on

7) Verify external drive is mounted

8) Copy the Kali.1.0.9.zip file to the Linux folder nested in the Volatility folder

9) Ensure Volatility sees the profile

10) We are now ready to run Volatality. To do so, you can use the below syntax as an example. For help on available options and what they do, run ‘vol.py –help’