I needed to analyze a memory dump with Volatility 2/3. These are the steps I followed to build a Linux profile based on Red Hat Enterprise Linux (RHEL) 5.11 x64 (kernel version 2.6.18-398). At the time of writing, the Volatility repository doesn't have a profile for this OS (1).
I installed RHEL511x64 on VMware Workstation v14 using default settings during setup (always press Next). No updates once installed the OS. I then installed VMware Tools for convenience so that I could copy and paste between the host OS and this VM.
From the mounted ISO, I installed these packages that would be needed later (2):
|.vmem and .vmss|
- went to ~/volatility3/volatility3/symbols
- created a subdirectory named linux
- copied in here the .json.xz archive created with dwarf2json
|strings and Linux banner|
|python3 vol.py -f ~/Desktop/vmss.core linux.pstree.PsTree|
- Linux plugins issues: https://github.com/volatilityfoundation/volatility3/issues/231
- compilation error module.c against CentOS 5.11 kernel 2.6.18-398.el5:https://github.com/volatilityfoundation/volatility/issues/111
- fail to create linux profile: https://github.com/volatilityfoundation/volatility/issues/373
- Converting a snapshot file to memory dump using the vmss2core tool: https://kb.vmware.com/s/article/2003941