Volatility 2 in Docker
Until recently, my workstation ran Ubuntu 16.04! A side effect of running such an old version of Ubuntu is the software repositories has outdated versions of tools that one might use when preforming cyber security related tasks. This is something which I struggled with on quite a number of occasions. I had intended to upgrade at various points over the years, but I really liked using the Unity desktop and, well, just could never find the time to fix something which was working for me.
A few might be saying “Tom, you could just run everything in a VM”, and you’d be right, I could. But, I didn’t want to. That for me was too much faff having to install and maintain a VM (Virtual Machine) for just a few command line tools. For me, there was a much easier solution, and that comes from my days as a sys admin; Docker.
The easiest way for me to show you how Docker helps me with this problem, even now with current release of OpenSUSE, I’ll walk you through a recent problem I had which I solved with the magic of Docker.
CyberDefenders is a great platform which hosts past CTF challenges. I use it alongside other platforms to hone my skills in not only DFIR (Digital Forensics and Incident Response), but also other blue team subjects such as malware analysis and threat hunting. One lab in particular was causing me problems; DeepDive.
In this lab a player is expected to analyse a memory sample of a compromised machine to work out it became infected. In order to do this, I would use a very common forensic tool for analysing memory samples; Volatility.
The first question in this lab asks the player to provide the volatility profile as the answer. For the uninitiated, these profiles tell volatility where data structures are allocated within the memory; data structures such as Windows registry hives, or Linux process lists. As Windows updates it’s OS for security or bug fix reasons, the location of these data structures also changes with each new version. So, to answer this question I would specifically need version 2 of volatility as version 3 has done away with the need to include the profile with the command.
The other thing to point out that volatility is a Python application, and version 2 requires Python 2.7! Which unfortunately isn’t too easy to install on my system, mostly because it’s not actively developed any more. But lucky for me, there’s a standalone binary I can use, so I don’t have to go down a rabbit hole of hell to get it working.
It should have been as simple as downloading the binary, running the simple command of
./vol2 -f banking-malware.vmem imageinfo and entering the profile returned to get the correct answer, right?
The image above shows the output of this command and the suggested profiles, however none of these are correct. And this is where some frustration started to surface.
The logical solution most people would go down is to create a Python virtual environment, install all the dependencies, and then run volatility against the memory sample. However, like I mentioned in the Introduction, there are no packages for Python 2.7 available for the Linux distribution I am currently using.
This is where Docker comes in handy; it allows me to create sandboxed environments where I can run the tools I need. Luckily for me, there is a Docker image for Python 2.7 on the official Python Docker Hub page which I can use for the base of my image.
Building the Docker Image
Using a Dockerfile, I am able to specify the Python dependencies to install into the image, along with the code for volatility.
The image was built using the command
docker build . -t vol2. Once the command successfully finishes, I have a Docker image with everything (minus) the memory sample that I need to run volatility.
Taking it for a Spin
Now that the image has been built, I need to test it to make sure it works, and what better than the sample which was giving me trouble.
Running the command
docker run -it --rm -v "$(pwd)":/images vol2:latest bash will spin up a new Docker container which will pass (mount) my current working directory.
Here you can see that I am now inside of the container, with volatility 2 installed, along with the memory sample ready to analyse by this time running the command
python vol.py -f /images/banking-malware.vmem imageinfo.
As you can see, the number of returned profiles is greater this time than my attempt with the standalone binary (and also contains the correct answer). Which can only mean that not all of the profiles included in the raw code are included with the binary.
Docker can be a great tool. And in this instance, it saves me time from having to deal with the headaches of installing Python 2.7 and any dependencies on to my local system. The other added benefit to using this approach is that I can upload these images to be shared for others to also use.
If you want to play with this yourself, I have made the code available on my Gitlab repo, which can be found here: https://gitlab.com/scyber-security/scyber-docker/-/tree/main/vol2
I use Docker quite a bit for this, so will add more to the repository as and when I can.
Cyber Security Digital Forensics Blue Team
Cyber Security Digital Forensics