Efficient Linux Memory Forensics with Volatility 3 (2025 Edition)

Introduction

This article is written based on Volatility 3 version 2.11.0 to ensure compatibility and accuracy with the latest features.

Memory forensics is a crucial part of incident response, enabling security professionals to analyze system activity, detect malware, and investigate security breaches. One of the most powerful tools for memory analysis is Volatility 3. However, analyzing Linux memory dumps with Volatility 3 typically requires a custom profile if the analysis is performed on a system with a different kernel version than the one where the dump was captured, making the process challenging. In this article, I’ll demonstrate a streamlined workflow for setting up Volatility 3 efficiently, avoiding the need to manually create a custom profile, and leveraging a remote profile repository for kernel symbols.

Incident Overview

Recently, I investigated a security incident involving an attack on a university network, specifically targeting a web server. The attacker successfully exploited a vulnerability, gaining access to one of the servers. Privileges were escalated to root, allowing the attacker to deploy a rootkit and a botnet client. Following this, the attacker deleted logs and closed the session, covering their tracks. This case highlights the importance of memory forensics in identifying malicious activity when traditional log files are unavailable.

Capturing a Memory Dump with AVML

For a quick and efficient way to capture memory from a Linux system, AVML (Acquire Volatile Memory for Linux) is an excellent tool. It is lightweight, fast, and does not require installation. Here’s how you can use it:

Steps to Capture a Memory Dump:

1. Download AVML

2. Acquire Memory Dump

./avml memory_dump.lime

This command will create a raw memory dump file (memory_dump.lime) that we can later analyze with Volatility 3.

Setting Up  Volatility 3

Volatility 3 is a modular and more flexible version of its predecessor. It supports Linux memory analysis but requires kernel symbols (profiles) to function correctly.

Handling Isolated Systems

In many cases, the compromised system might be isolated from the network, preventing access to online repositories and making the installation of Volatility 3 or its dependencies very difficult or impossible. For example, I had an isolated virtual machine running Debian 9, where I could only upload AVML but not install Python 3 or Volatility 3. Instead of building the profile on the compromised system, I performed the analysis  on a separate Kali Linux machine.

This is crucial because building a Volatility overlay profile for an isolated or outdated system involves significant overhead. Fortunately, we can bypass this requirement using a remote repository of prebuilt profiles.

Installing Volatility 3

For the latest installation instructions and updates, refer to the official Volatility 3 repository: Volatility 3 GitHub.

To conduct memory forensics using Volatility 3, we first need to install it on a system that has access to required dependencies. Since our compromised system is isolated, we will perform the analysis on a separate machine, such as Kali Linux.

Steps to Install Volatility 3

1. Clone the Volatility 3 repository

git clone https://github.com/volatilityfoundation/volatility3.git cd volatility3 

2. Verify installation

python3 vol.py -h | grep linux

This will not only check if Volatility 3 is correctly installed but also provide a list of available Linux plugins.

Once installed, we can proceed to setting up kernel profiles and conducting analysis.

Identifying Kernel Information

In many cases, you may have a memory dump but lack information about the system it came from, such as the OS version, build information, or kernel version. To assist with finding the appropriate symbol table, we can use the banners plugin in Volatility 3.

Using the banners Plugin

To extract potential kernel version details from the memory dump, run:

python3 vol.py -f memory_dump.lime banners

This will help identify the correct kernel version, which is crucial for selecting the right profile for analysis.

Symbols File Automatic Download in Volatility 3

One of the major hurdles in Linux memory analysis with Volatility 3 is obtaining the correct kernel symbols for analysis. Usually, this requires manually compiling or extracting kernel symbols, which is tedious and time-consuming. Fortunately, I found a remote repository on GitHub that provides prebuilt kernel symbols. To configure Volatility 3 to use this repository, open the file

vim volatility3/framework/constants/__init__.py

Set the following constant:

REMOTE_ISF_URL = "https://raw.githubusercontent.com/leludo84/vol3-linux-profiles/main/banners-isf.json"

Alternatively, you can automate this process using sed. Make sure you are in the root directory of the Volatility 3 repository before executing the following command, otherwise, the path to __init__.py will not be correct:

sed -i "s|REMOTE_ISF_URL = None  # 'http://localhost:8000/banners.json'|REMOTE_ISF_URL = \"https://raw.githubusercontent.com/leludo84/vol3-linux-profiles/main/banners-isf.json\"|" volatility3/framework/constants/__init__.py

Running Volatility 3 Plugins

Once the correct kernel symbols are available, we can start analyzing the memory dump.

Checking Available Plugins

To retrieve a list of available Linux-specific plugins, run:

python3 vol.py -h | grep linux

This will display the most relevant plugins, including:

banners.Banners     Attempts to identify potential Linux banners in memory.
linux.bash.Bash     Recovers bash command history.
linux.boottime.Boottime  Retrieves system boot time.
linux.capabilities.Capabilities  Lists process capabilities.
linux.check_afinfo.Check_afinfo  Checks network address family information.
linux.check_creds.Check_creds  Identifies credential discrepancies.
linux.check_idt.Check_idt  Examines the interrupt descriptor table.
linux.check_modules.Check_modules  Lists kernel modules.
linux.check_syscall.Check_syscall  Checks syscall table integrity.
linux.ebpf.EBPF  Enumerates eBPF programs.
linux.elfs.Elfs  Lists ELF binaries mapped in memory.
linux.envars.Envars  Displays process environment variables.
linux.graphics.fbdev.Fbdev  Retrieves framebuffer device information.
linux.hidden_modules.Hidden_modules  Detects hidden kernel modules.
linux.iomem.IOMem  Retrieves memory map similar to /proc/iomem.
linux.kallsyms.Kallsyms  Extracts kernel symbol addresses.
linux.keyboard_notifiers.Keyboard_notifiers  Lists keyboard notifiers.
linux.kmsg.Kmsg  Reads the kernel log buffer.
linux.kthreads.Kthreads  Lists kernel threads.
linux.library_list.LibraryList  Enumerates shared libraries.
linux.lsmod.Lsmod  Lists loaded kernel modules.
linux.lsof.Lsof  Lists open files per process.
linux.malfind.Malfind  Scans for suspicious memory regions.
linux.modxview.Modxview  Detects kernel rootkits by module discrepancies.
linux.mountinfo.MountInfo  Retrieves mounted file system details.
linux.netfilter.Netfilter  Inspects netfilter hooks.
linux.pagecache.Files  Examines file-backed memory pages.
linux.pagecache.InodePages  Lists inode-associated memory pages.
linux.pidhashtable.PIDHashTable  Scans for hidden processes.
linux.proc.Maps  Displays memory maps of all processes.
linux.psaux.PsAux  Lists processes with command-line arguments.
linux.pscallstack.PsCallStack  Extracts kernel stack traces for processes.
linux.pslist.PsList  Lists active processes.
linux.psscan.PsScan  Scans for residual process structures.
linux.pstree.PsTree  Displays process hierarchy.
linux.ptrace.Ptrace  Lists processes with ptrace attachments.
linux.sockstat.Sockstat  Retrieves socket statistics.
linux.tty_check.tty_check  Checks for attached terminals.
linux.vmaregexscan.VmaRegExScan  Scans memory using regular expressions.
linux.vmayarascan.VmaYaraScan  Scans memory using YARA signatures.
linux.vmcoreinfo.VMCoreInfo  Extracts crash dump metadata.

Running a Specific Plugin

For example, to inspect netfilter hooks, run:

python3 vol.py -f memory_dump.lime linux.netfilter.Netfilter

Running Basic Analysis

• Process Listing python3 vol.py -f memory_dump.lime linux.pslist.PsList
• Finding Hidden Processes python3 vol.py -f memory_dump.lime linux.pstree.PsTree
• Extracting Bash History python3 vol.py -f memory_dump.lime linux.bash.Bash
• Dumping Malicious Processes python3 vol.py -f memory_dump.lime linux.proc.Maps

Conclusion

With this streamlined approach, analyzing Linux memory dumps with Volatility 3 becomes significantly faster and more efficient. By leveraging AVML for quick memory capture and using a remote kernel symbol repository, we eliminate the time-consuming process of manually compiling profiles. This method not only saves time but also makes Linux memory forensics more accessible for security analysts and incident responders.