Hi,

               I’ve got to beg some help again. After finally getting Volatility for Linux to work, I procured a Mac mini to test Volatility in that space. I’ve carefully followed the instructions at http://code.google.com/p/volatility/wiki/MacMemoryForensics to create a profile file named 12.1.0.64bit.zip, which I placed in the volatility/plugins/overlays/mac folder. When I use the –info option in volatility, I see the profile as Mac12_1_0_64bitx64, so it’s getting that far. However when I try to actually analyze an 8GB dump (dumped using MacMemoryreader_3.0.2) from the same Mac mini that I used to generate the profile, I get the following issues:

 

$ python ./vol.py mac_machine_info --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*

Volatile Systems Volatility Framework 2.1_rc3

WARNING : volatility.obj      : Deprecation warning: A plugin is making use of profile.add_types

Major Version:  -

Minor Version:  -

Memory Size:    -

Max CPUs:       -

Physical CPUs:  -

Logical CPUs:   -

 

 

$ python ./vol.py mac_dmesg --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*

Volatile Systems Volatility Framework 2.1_rc3

WARNING : volatility.obj      : Deprecation warning: A plugin is making use of profile.add_types

Traceback (most recent call last):

 File "./vol.py", line 185, in <module>

    main()

  File "./vol.py", line 176, in main

    command.execute()

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute

    func(outfd, data)

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 57, in render_text

    for buf in data:

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 41, in calculate

    if bufc[bufx] == 0 and bufc[0] != 0:

TypeError: string indices must be integers, not NoneObject

 

$ python ./vol.py imageinfo --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*

Volatile Systems Volatility Framework 2.1_rc3

Determining profile based on KDBG search...

 

Traceback (most recent call last):

  File "./vol.py", line 185, in <module>

    main()

  File "./vol.py", line 176, in main

    command.execute()

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute

    func(outfd, data)

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 34, in render_text

    for k, v in data:

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 44, in calculate

    suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/kdbgscan.py", line 112, in calculate

    proflens[p] = str(obj.VolMagic(buf).KDBGHeader)

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 743, in __getattr__

    return self.m(attr)

  File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 725, in m

    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))

AttributeError: Struct VOLATILITY_MAGIC has no member KDBGHeader

 

Does anyone know what may be going on here?

Thanks

John

 

P.S. Here’s my –info output:

 

$ python ./vol.py --info

Volatile Systems Volatility Framework 2.1_rc3

 

 

Scanner Checks

--------------

CheckHiveSig           - Check for a registry hive signature

CheckPoolIndex         - Checks the pool index

CheckPoolSize          - Check pool block size

CheckPoolType          - Check the pool type

CheckProcess           - Check sanity of _EPROCESS

CheckSocketCreateTime  - Check that _ADDRESS_OBJECT.CreateTime makes sense

CheckThreads           - Check sanity of _ETHREAD

KPCRScannerCheck       - Checks the self referential pointers to find KPCRs

MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset

MultiStringFinderCheck - Checks for multiple strings per page

PoolTagCheck           - This scanner checks for the occurance of a pool tag

 

 

Address Spaces

--------------

AMD64PagedMemory        - Standard AMD 64-bit address space.

ArmAddressSpace         - No docs

FileAddressSpace        - This is a direct file AS.

IA32PagedMemory         - Legacy x86 non PAE address space (to use specify --use_old_as)

IA32PagedMemoryPae      - Legacy x86 PAE address space (to use specify --use_old_as)

JKIA32PagedMemory       - Standard x86 32 bit non PAE address space.

JKIA32PagedMemoryPae    - Standard x86 32 bit PAE address space.

LimeAddressSpace        - Address space for Lime

MachOAddressSpace       - Address space for mach-o files to support atc-ny memory reader

WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format

WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format

WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.

 

 

Profiles

--------

LinuxDebian2632x86 - A Profile for Linux Debian2632 x86

Mac12_1_0_64bitx64 - A Profile for Mac 12.1.0.64bit x64

Macmac_profilex64  - A Profile for Mac mac_profile x64

VistaSP0x64        - A Profile for Windows Vista SP0 x64

VistaSP0x86        - A Profile for Windows Vista SP0 x86

VistaSP1x64        - A Profile for Windows Vista SP1 x64

VistaSP1x86        - A Profile for Windows Vista SP1 x86

VistaSP2x64        - A Profile for Windows Vista SP2 x64

VistaSP2x86        - A Profile for Windows Vista SP2 x86

Win2003SP0x86      - A Profile for Windows 2003 SP0 x86

Win2003SP1x64      - A Profile for Windows 2003 SP1 x64

Win2003SP1x86      - A Profile for Windows 2003 SP1 x86

Win2003SP2x64      - A Profile for Windows 2003 SP2 x64

Win2003SP2x86      - A Profile for Windows 2003 SP2 x86

Win2008R2SP0x64    - A Profile for Windows 2008 R2 SP0 x64

Win2008R2SP1x64    - A Profile for Windows 2008 R2 SP1 x64

Win2008SP1x64      - A Profile for Windows 2008 SP1 x64

Win2008SP1x86      - A Profile for Windows 2008 SP1 x86

Win2008SP2x64      - A Profile for Windows 2008 SP2 x64

Win2008SP2x86      - A Profile for Windows 2008 SP2 x86

Win7SP0x64         - A Profile for Windows 7 SP0 x64

Win7SP0x86         - A Profile for Windows 7 SP0 x86

Win7SP1x64         - A Profile for Windows 7 SP1 x64

Win7SP1x86         - A Profile for Windows 7 SP1 x86

WinXPSP1x64        - A Profile for Windows XP SP1 x64

WinXPSP2x64        - A Profile for Windows XP SP2 x64

WinXPSP2x86        - A Profile for Windows XP SP2 x86

WinXPSP3x86        - A Profile for Windows XP SP3 x86

 

 

Plugins

-------

apihooks            - Detect API hooks in process and kernel memory

bioskbd             - Reads the keyboard buffer from Real Mode memory

callbacks           - Print system-wide notification routines

cmdscan             - Extract command history by scanning for _COMMAND_HISTORY

connections         - Print list of open connections [Windows XP and 2003 Only]

connscan            - Scan Physical memory for _TCPT_OBJECT objects (tcp connections)

consoles            - Extract command history by scanning for _CONSOLE_INFORMATION

crashinfo           - Dump crash-dump information

devicetree          - Show device tree

dlldump             - Dump DLLs from a process address space

dlllist             - Print list of loaded dlls for each process

driverirp           - Driver IRP hook detection

driverscan          - Scan for driver objects _DRIVER_OBJECT

envars              - Display process environment variables

filescan            - Scan Physical memory for _FILE_OBJECT pool allocations

gdt                 - Display Global Descriptor Table

getsids             - Print the SIDs owning each process

handles             - Print list of open handles for each process

hashdump            - Dumps passwords hashes (LM/NTLM) from memory

hibinfo             - Dump hibernation file information

hivedump            - Prints out a hive

hivelist            - Print list of registry hives.

hivescan            - Scan Physical memory for _CMHIVE objects (registry hives)

idt                 - Display Interrupt Descriptor Table

imagecopy           - Copies a physical address space out as a raw DD image

imageinfo           - Identify information for the image

impscan             - Scan for calls to imported functions

kdbgscan            - Search for and dump potential KDBG values

kpcrscan            - Search for and dump potential KPCR values

ldrmodules          - Detect unlinked DLLs

linux_arp           - Print the ARP table

linux_cpuinfo       - Prints info about each active processor

linux_dmesg         - Gather dmesg buffer

linux_dump_map      - No docs

linux_ifconfig      - Gathers active interfaces

linux_iomem         - Provides output similar to /proc/iomem

linux_lsmod         - Gather loaded kernel modules

linux_lsof          - Lists open files

linux_memmap        - Dumps the memory map for linux tasks.

linux_mount         - Gather mounted fs/devices

linux_netstat       - Lists open sockets

linux_proc_maps     - gathers process maps for linux

linux_psaux         - gathers processes along with full command line and start time

linux_pslist        - Gather active tasks by walking the task_struct->task list

linux_route_cache   - Lists routing table

lsadump             - Dump (decrypted) LSA secrets from the registry

mac_arp             - prints the arp table

mac_dmesg           - prints the kernel debug buffer

mac_get_processors  - No docs

mac_ifconfig        - No docs

mac_ip_filters      - No docs

mac_list_open_files - No docs

mac_lsmod           - No docs

mac_machine_info    - No docs

mac_mount           - No docs

mac_netstat         - No docs

mac_notifiers       - detects rootkits that add hooks into I/O Kit (e.g. LogKext)

mac_proc_maps       - No docs

mac_psaux           - No docs

mac_pslist          - No docs

mac_route           - No docs

mac_runq            - No docs

mac_trustedbsd      - No docs

mac_version         - No docs

mac_vfs_events      - No docs

mac_wait_queues     - No docs

malfind             - Find hidden and injected code

memdump             - Dump the addressable memory for a process

memmap              - Print the memory map

moddump             - Dump a kernel driver to an executable file sample

modscan             - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects

modules             - Print list of loaded modules

mutantscan          - Scan for mutant objects _KMUTANT

netscan             - Scan a Vista, 2008 or Windows 7 image for connections and sockets

patcher             - Patches memory based on page scans

printkey            - Print a registry key, and its subkeys and values

procexedump         - Dump a process to an executable file sample

procmemdump         - Dump a process to an executable memory sample

pslist              - print all running processes by following the EPROCESS lists

psscan              - Scan Physical memory for _EPROCESS pool allocations

pstree              - Print process list as a tree

psxview             - Find hidden processes with various process listings

raw2dmp             - Converts a physical memory sample to a windbg crash dump

shimcache           - Parses the Application Compatibility Shim Cache registry key

sockets             - Print list of open sockets

sockscan            - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)

ssdt                - Display SSDT entries

strings             - Match physical offsets to virtual addresses (may take a while, VERY verbose)

svcscan             - Scan for Windows services

symlinkscan         - Scan for symbolic link objects

thrdscan            - Scan physical memory for _ETHREAD objects

threads             - Investigate _ETHREAD and _KTHREADs

timers              - Print kernel timers and associated module DPCs

userassist          - Print userassist registry keys and information

vaddump             - Dumps out the vad sections to a file

vadinfo             - Dump the VAD info

vadtree             - Walk the VAD tree and display in tree format

vadwalk             - Walk the VAD tree

volshell            - Shell in the memory image

yarascan            - Scan process or kernel memory with Yara signatures