Response anyone? I can't believe this would really be this broken, so I have to be
doing something wrong (or maybe not... see below). I first tried this with r2149, and have
checked a couple of the more recent updates, I but get the same result. Are the
wiki<http://code.google.com/p/volatility/wiki/LinuxMemoryForensics> instructions
I'm following maybe out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing; Is it because
I'm running volatility on a 32bit system, or because I'm trying to analyze a dump
from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year, but I got fired up
over Joe's & Andrew's Forensic Summit presentations and resolved to try out
the new stuff in the Linux & Mac branches. Unfortunately I don't seem to have
gotten very far with it. I've got the scudette branch installed on a SIFT Kit VM, and
have successfully used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I successfully dumped
from module_dwarf.ko. I even tried the live /dev/pmem memory interface you get when you
load up the pmem.ko module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only. Please
check at
http://volatility.googlecode.com/ for officially supported versions.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John