Linux.Memory.Acquisition :: Velociraptor

Linux.Memory.Acquisition

Acquires a full memory image. We download LiME and use it to acquire a full memory image.

NOTE: This artifact usually transfers a lot of data. You should increase the default timeout to allow it to complete. ( Example : 2Gb of memory time takes about 50s )


name: Linux.Memory.Acquisition
author: URCA (Corentin Garcia / Emmanuel Mesnard)
description: |
  Acquires a full memory image. We download LiME and use it to acquire
  a full memory image.

  NOTE: This artifact usually transfers a lot of data. You should
  increase the default timeout to allow it to complete.  ( Example :
  2Gb of memory time takes about 50s )


required_permissions:
  - EXECVE

tools:
  - name: LiME
    url: https://github.com/504ensicsLabs/LiME/archive/refs/heads/master.zip
  - name: Volatility
    url: https://github.com/volatilityfoundation/volatility/archive/master.zip

parameters:
    - name: StartVolatility
      type: bool
      default: Y
    - name: Zipname
      type: string
      description: Name of the zip containing the Volatility profile
      default: Ubuntu
    - name: Dumpname
      type: string
      description: Name of the memory dump
      default: dump

precondition: SELECT OS From info() where OS = 'linux'

sources:
  - queries:
    - LET Volatility = SELECT * FROM Artifact.Exchange.Linux.Volatility.Create.Profile(Zipname=Zipname)

      LET Lime = SELECT FullPath, Stdout, Stderr, if(condition=Complete, then=upload(file="/tmp/" + Dumpname + ".raw", name=Dumpname + ".raw")) As Upload FROM execve(argv=['bash', '-c', 'mv /tmp/master.zip /tmp/lime-master.zip ; unzip -o /tmp/lime-master.zip -d /tmp/ ; cd /tmp/LiME-master/src/ ; apt-get -y install build-essential linux-headers-$(uname -r) ; make ; insmod /tmp/LiME-master/src/lime-*.ko "path=/tmp/"' + Dumpname + '".raw format=lime"'])

      LET dirtmp = tempdir(remove_last=true)

      SELECT * FROM foreach(
          row={
            SELECT FullPath FROM Artifact.Generic.Utils.FetchBinary(ToolName="LiME")
          },
          query={
            SELECT * FROM chain(
            a={SELECT * FROM Lime},
            b={SELECT * FROM execve(argv=['bash', '-c', 'mv /tmp/LiME-master /tmp/lime-master.zip /tmp/' + Dumpname + '.raw ' + dirtmp])},
            c={SELECT * FROM if(
                condition=StartVolatility,
                then=Volatility,
                else=scope()
            )}
            )
          })