The Linux support in Volatility was first officially included with the 2.2 release (October 2012). Unless otherwise specified, Volatility’s Linux plugins support kernel versions 2.6.11 through 3.14. The ability to support deep analysis across such a wide range of kernels is dependent on a thorough understanding of the design decisions made by the Linux kernel developers and the technologies they use throughout the operating system. In this chapter, you learn about the Executable and Linking Format (ELF) file and how to locate specific sections in memory for analysis. You’ll also examine the global offset table (GOT), which adversaries can use to alter system behaviors. Finally, we describe an interesting aspect of Linux virtual address translation and a groundbreaking new technology that involves compressing swapped pages.

ELF Files

ELF is the main executable file format used on Linux systems. User applications, shared libraries, kernel modules, and the kernel itself are all stored in the ELF format. To fully understand how you can perform memory forensics and malware analysis of Linux systems, you must first become familiar with the ELF format. To explore the ELF format, we will discuss its data structures and on-disk layout with the help of the readelf command. readelf is distributed with binutils and should be installed by default on all Linux distributions. Complete documentation of the ELF format can be found at http://www.skyfree.org/linux/references/ELF_Format.pdf ...