Skip to content

Linux/Mac

Using pyDFIRRam for Linux or macOS

Introduction

pyDFIRRam is a tool under development aimed at utilizing Volatility plugins for memory forensics on Linux and macOS systems.

Initial Setup

  1. Installation:
  2. Ensure Python 3.10 (or compatible version) is installed.

  3. Install pyDFIRRam using Poetry or manually. Example: 

    pip install pydfirram

  4. Setting up a Profile:

  5. Currently, there's no direct method via Python interface to add a profile. If you have a profile, place it in the Volatility symbols directory:
    • For Linux/macOS: 
      $HOME/.local/lib/python3.10/site-packages/volatility3/symbols/
    • For Poetry virtual environments: 
      $HOME/.cache/pypoetry/virtualenvs/pydfirram-qv9SWnlF-py3.10/lib/python3.10/site-packages/volatility3/symbols/

Using pyDFIRRam

  1. Creating an Object:

  2. Import necessary modules and create an object for your memory dump: 

    from pydfirram.core.base import Generic, OperatingSystem
from pathlib import Path

os = OperatingSystem.LINUX  # Set to OperatingSystem.MACOS for macOS
dumpfile = Path("dump.raw")  # Replace with your actual memory dump path
generic = Generic(os, dumpfile)

  3. Listing and inspecting plugins:

  4. Qualified names and metadata (cached per Volatility version and OS): 
    generic.list_plugins()                    # or list_plugins(os_filter=OperatingSystem.LINUX)
generic.has_plugin("linux.pslist")
generic.plugin_info("pslist")
  5. Legacy list of PluginEntry objects: 
    generic.get_all_plugins()

  6. See Plugins (SDK API) for cache details and migration.

  7. Running plugins:

  8. Use run_plugin with the qualified Volatility name for your OS; it returns a Renderer: 
    generic.run_plugin("linux.pslist", pid=[4]).to_list()

  9. Refer to Volatility plugin documentation for parameter names and types.

  10. Legacy behaviour:

  11. Attribute-style access (generic.pslist(...)) still works but emits a DeprecationWarning. Prefer run_plugin("linux.pslist", ...) (or the correct qualified name on your image).

Notes

  • Ensure your memory dump file (dump.raw in the example) is correctly specified.
  • Adjust paths and settings based on your specific environment and Python setup.