Hi all,
Make that OS X 10.8 (Mountain Lion). 12.1.0 is the kernel version. My apologies. I don’t use Macs a lot, and 10.8 doesn’t appear in the uname –a output for some unknown reason.
John
From: McCash John-GKJN37
Sent: Tuesday, August 28, 2012 4:34 PM
To: 'vol-dev@volatilityfoundation.org'
Subject: problem analyzing dump from MacOSX 12.1.0.x86_64
Hi,
I’ve got to beg some help again. After finally getting Volatility for Linux to work, I procured a Mac mini to test Volatility in that space. I’ve carefully followed the instructions at
http://code.google.com/p/volatility/wiki/MacMemoryForensics to create a profile file named 12.1.0.64bit.zip, which I placed in the volatility/plugins/overlays/mac folder. When I use the
–info option in volatility, I see the profile as Mac12_1_0_64bitx64, so it’s getting that far. However when I try to actually analyze an 8GB dump (dumped using MacMemoryreader_3.0.2) from the same Mac mini that I used to generate the profile, I get the following
issues:
$ python ./vol.py mac_machine_info --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use of profile.add_types
Major Version: -
Minor Version: -
Memory Size: -
Max CPUs: -
Physical CPUs: -
Logical CPUs: -
$ python ./vol.py mac_dmesg --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
WARNING : volatility.obj : Deprecation warning: A plugin is making use of profile.add_types
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 57, in render_text
for buf in data:
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/mac/mac_dmesg.py", line 41, in calculate
if bufc[bufx] == 0 and bufc[0] != 0:
TypeError: string indices must be integers, not NoneObject
$ python ./vol.py imageinfo --profile=Mac12_1_0_64bitx64 -f /cygdrive/g/Mac*
Volatile Systems Volatility Framework 2.1_rc3
Determining profile based on KDBG search...
Traceback (most recent call last):
File "./vol.py", line 185, in <module>
main()
File "./vol.py", line 176, in main
command.execute()
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/commands.py", line 111, in execute
func(outfd, data)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 34, in render_text
for k, v in data:
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/imageinfo.py", line 44, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/plugins/kdbgscan.py", line 112, in calculate
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 743, in __getattr__
return self.m(attr)
File "/home/Forensic/mac_Volatility/mac-trunk/volatility/obj.py", line 725, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBGHeader
Does anyone know what may be going on here?
Thanks
John
P.S. Here’s my –info output:
$ python ./vol.py --info
Volatile Systems Volatility Framework 2.1_rc3
Scanner Checks
--------------
CheckHiveSig - Check for a registry hive signature
CheckPoolIndex - Checks the pool index
CheckPoolSize - Check pool block size
CheckPoolType - Check the pool type
CheckProcess - Check sanity of _EPROCESS
CheckSocketCreateTime - Check that _ADDRESS_OBJECT.CreateTime makes sense
CheckThreads - Check sanity of _ETHREAD
KPCRScannerCheck - Checks the self referential pointers to find KPCRs
MultiPrefixFinderCheck - Checks for multiple strings per page, finishing at the offset
MultiStringFinderCheck - Checks for multiple strings per page
PoolTagCheck - This scanner checks for the occurance of a pool tag
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - No docs
FileAddressSpace - This is a direct file AS.
IA32PagedMemory - Legacy x86 non PAE address space (to use specify --use_old_as)
IA32PagedMemoryPae - Legacy x86 PAE address space (to use specify --use_old_as)
JKIA32PagedMemory - Standard x86 32 bit non PAE address space.
JKIA32PagedMemoryPae - Standard x86 32 bit PAE address space.
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
Profiles
--------
LinuxDebian2632x86 - A Profile for Linux Debian2632 x86
Mac12_1_0_64bitx64 - A Profile for Mac 12.1.0.64bit x64
Macmac_profilex64 - A Profile for Mac mac_profile x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Plugins
-------
apihooks - Detect API hooks in process and kernel memory
bioskbd - Reads the keyboard buffer from Real Mode memory
callbacks - Print system-wide notification routines
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
driverscan - Scan for driver objects _DRIVER_OBJECT
envars - Display process environment variables
filescan - Scan Physical memory for _FILE_OBJECT pool allocations
gdt - Display Global Descriptor Table
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Scan Physical memory for _CMHIVE objects (registry hives)
idt - Display Interrupt Descriptor Table
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
linux_arp - Print the ARP table
linux_cpuinfo - Prints info about each active processor
linux_dmesg - Gather dmesg buffer
linux_dump_map - No docs
linux_ifconfig - Gathers active interfaces
linux_iomem - Provides output similar to /proc/iomem
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists open files
linux_memmap - Dumps the memory map for linux tasks.
linux_mount - Gather mounted fs/devices
linux_netstat - Lists open sockets
linux_proc_maps - gathers process maps for linux
linux_psaux - gathers processes along with full command line and start time
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_route_cache - Lists routing table
lsadump - Dump (decrypted) LSA secrets from the registry
mac_arp - prints the arp table
mac_dmesg - prints the kernel debug buffer
mac_get_processors - No docs
mac_ifconfig - No docs
mac_ip_filters - No docs
mac_list_open_files - No docs
mac_lsmod - No docs
mac_machine_info - No docs
mac_mount - No docs
mac_netstat - No docs
mac_notifiers - detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_proc_maps - No docs
mac_psaux - No docs
mac_pslist - No docs
mac_route - No docs
mac_runq - No docs
mac_trustedbsd - No docs
mac_version - No docs
mac_vfs_events - No docs
mac_wait_queues - No docs
malfind - Find hidden and injected code
memdump - Dump the addressable memory for a process
memmap - Print the memory map
moddump - Dump a kernel driver to an executable file sample
modscan - Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects
modules - Print list of loaded modules
mutantscan - Scan for mutant objects _KMUTANT
netscan - Scan a Vista, 2008 or Windows 7 image for connections and sockets
patcher - Patches memory based on page scans
printkey - Print a registry key, and its subkeys and values
procexedump - Dump a process to an executable file sample
procmemdump - Dump a process to an executable memory sample
pslist - print all running processes by following the EPROCESS lists
psscan - Scan Physical memory for _EPROCESS pool allocations
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
raw2dmp - Converts a physical memory sample to a windbg crash dump
shimcache - Parses the Application Compatibility Shim Cache registry key
sockets - Print list of open sockets
sockscan - Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Scan for symbolic link objects
thrdscan - Scan physical memory for _ETHREAD objects
threads - Investigate _ETHREAD and _KTHREADs
timers - Print kernel timers and associated module DPCs
userassist - Print userassist registry keys and information
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
volshell - Shell in the memory image
yarascan - Scan process or kernel memory with Yara signatures