Volatility3 Linux ISF Server

This site contains 1327 pre-generated symbol packs for a range of Linux kernels on Ubuntu, Debian and other distros. You can search for the full banner as shown in Volatility3 banners.Banners plugin or search for the Kernel version uname -r. If the pack exists you will be provided with a download link to the ISF Table file as a json.xz file. These links are only valid for 1 hour then you will have to search again

Operating System Kernel Banner Download


Volatility3 made a move away from profiles and instead uses Symbol Tables. For Linux these tables are generated by parsing a matching debug kernel extracting all the symbol structures and creating an Intermediate Symbol Format (ISF) file that can be processed by volatility3. These are NOT compatible with Volatility2 profiles

This site allows you to download the ISF Symbol table for any Kernels it knows about. The first step is to identify what bundle you need. You can do this on one of two ways. Run Volatility3 against the target image and get a banner string. e.g. vol -f /path/to/myimage.raw linux.banners.Banners. Then copy each of the outputs and try the search above with the Banner option.
Alternativly if you have access to the host you can run uname -r and search for that using the Kernel option of the search.
If there is a matching download then grab it and place it in the symbols/linux path of your volatility3 installation.

I am building up the list of availiable ISF Tables but its a time consuming process especially for non standard kernels. You can generate them yourself using the dwarf2json tool and access to a matching OS & kernel more details can be found here.
You can sometimes find me loitering on the Volatility Slack Server feel free to ask me or anyone else for help.

Be warned this requires manual modification of the Volatility source for now!
Locate the REMOTE_ISF_URL constant and set it to 'https://volatility3-symbols.s3.eu-west-1.amazonaws.com/banners.json'. Volatility3 should now be able to automatically cache and retrieve any required symobl files from the remote server, no need to manually search