[Vol-dev] RE: Problem with Linux Volatility

Response anyone? I can't believe this would really be this broken, so I have to be doing something wrong (or maybe not... see below). I first tried this with r2149, and have checked a couple of the more recent updates, I but get the same result. Are the wiki<http://code.google.com/p/volatility/wiki/LinuxMemoryForensics> instructions I'm following maybe out-of-date? Looking further, I tried this with -dubug, and got: ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer -> access=mmap.ACCESS_READ) Then looked at line 67 in mmap_address_space.py, and see: # On 64 bit architectures we can just map the entire image # into our process. TODO(scudette): Try to make this work on # 32 bit systems by segmenting into several smallish maps. self.map = mmap.mmap(self.fhandle.fileno(), self.fsize, access=mmap.ACCESS_READ) So, assuming the above TODO comment related to the issue I'm seeing; Is it because I'm running volatility on a 32bit system, or because I'm trying to analyze a dump from a 32bit system? Thanks John From: McCash John-GKJN37 Sent: Tuesday, August 07, 2012 2:12 PM To: &#39;vol-dev(a)volatilityfoundation.org&#39; Subject: Problem with Linux Volatility Hi Folks, Sorry you only seem to hear from me about once a year, but I got fired up over Joe's & Andrew's Forensic Summit presentations and resolved to try out the new stuff in the Linux & Mac branches. Unfortunately I don't seem to have gotten very far with it. I've got the scudette branch installed on a SIFT Kit VM, and have successfully used LiME to dump memory from it. I've also successfully created a profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I successfully dumped from module_dwarf.ko. I even tried the live /dev/pmem memory interface you get when you load up the pmem.ko module. When I attempt to run Volatility , here's what happens... root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py The Volatility Memory Forensic Framework technology preview (3.0_tp1). NOTE: This is pre-release software and is provided for evauation only. Please check at http://volatility.googlecode.com/ for officially supported versions. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License. ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer ERROR:root:Failed running plugin pslist: kernel_address_space not specified. ERROR:root:Error: 'NoneType' object has no attribute 'name' Traceback (most recent call last): File "<console>", line 1, in <module> File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 292, in vol self.last = super(InteractiveSession, self).vol(*args, **kwargs) File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 154, in vol ui_renderer.start(plugin_name=result.name, kwargs=kwargs) AttributeError: 'NoneType' object has no attribute 'name' Am I doing something brain-damaged? Thanks John