Volatility Linux Support
by Joe Sylve
I'm having trouble getting the linux support branch working.
I followed all the directions found here:
https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
I just can't seem to get it to work. Here's what I'm getting:
joe@zuul:~/volatility/lin64-support$ python vol.py
Welcome to volshell!
To get help, type 'help()'
>>> session.filename = "/home/joe/dump"
Traceback (most recent call last):
File "<console>", line 1, in <module>
NameError: name 'session' is not defined
Can anyone help me with this, or point me to a download for the older linux
branch, which was previously working for me? Thank you very much.
--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/
12 years, 1 month
- 2
- 7
Error with new packetscan module
by Mike Pilkington
Hi,
I'm playing with the new packetscan.py module from issue 233:
http://code.google.com/p/volatility/issues/detail?id=233
I'm using it against a Windows XP SP2 image and get the following error:
$ volatility packetscan -f IR-XP-PC-20120302-memdump.mem --no-cache
Traceback (most recent call last):
File "/usr/local/bin/volatility", line 135, in <module>
main()
File "/usr/local/bin/volatility", line 126, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/packetscan.py",
line 100, in render_text
for source, dest in data:
File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/packetscan.py",
line 91, in calculate
profile.vtypes.update(ippkt_vtype)
AttributeError: 'WinXPSP2x86' object has no attribute 'vtypes'
Does this module not support XP SP2?
I'm admittedly in over my head, but I'm trying to figure out how to
create a plugin to scan memory for a particular signature, and when
found, parse data following the signature at specified offsets. I was
examining this module as a possible template for my own module. I'm
wondering, is it recommended to create a new vtype when scanning for a
structure in memory?
Thanks, Mike
12 years, 2 months
- 3
- 4