Response anyone? I can’t believe this would really be this broken, so I have to be doing something wrong (or maybe not… see below). I first tried this with r2149, and have checked a couple of the more recent updates, I but get the same result. Are the wiki instructions I’m following maybe out-of-date?

 

 

Looking further, I tried this with –dubug, and got:

 

ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer

> /home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/plugins/addrspaces/mmap_address_space.py(67)__init__()

-> access=mmap.ACCESS_READ)

 

Then looked at line 67 in mmap_address_space.py, and see:

 

# On 64 bit architectures we can just map the entire image

# into our process. TODO(scudette): Try to make this work on

# 32 bit systems by segmenting into several smallish maps.

self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,

                     access=mmap.ACCESS_READ)

 

So, assuming the above TODO comment related to the issue I’m seeing; Is it because I’m running volatility on a 32bit system, or because I’m trying to analyze a dump from a 32bit system?

                              Thanks

                                             John

 

From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev@volatilityfoundation.org'
Subject: Problem with Linux Volatility

 

Hi Folks,

               Sorry you only seem to hear from me about once a year, but I got fired up over Joe’s & Andrew’s Forensic Summit presentations and resolved to try out the new stuff in the Linux & Mac branches. Unfortunately I don’t seem to have gotten very far with it. I’ve got the scudette branch installed on a SIFT Kit VM, and have successfully used LiME to dump memory from it. I’ve also successfully created a profile for the SIFT Kit’s 2.6.31-23-generic kernel, using json I successfully dumped from module_dwarf.ko. I even tried the  live /dev/pmem  memory interface you get when you load up the pmem.ko module. When I attempt to run Volatility , here’s what happens…

 

 

root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py

 

The Volatility Memory Forensic Framework technology preview (3.0_tp1).

 

NOTE: This is pre-release software and is provided for evauation only. Please

check at http://volatility.googlecode.com/ for officially supported versions.

 

This program is free software; you can redistribute it and/or modify it under

the terms of the GNU General Public License.

 

>>> session.filename = "/dev/pmem"

>>> session.profile_file = "myprofile.zip"

>>> session.profile = "Linux32"

>>> vol (plugins.pslist)

ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer

ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer

ERROR:root:Failed running plugin pslist: kernel_address_space not specified.

ERROR:root:Error: 'NoneType' object has no attribute 'name'

Traceback (most recent call last):

  File "<console>", line 1, in <module>

  File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 292, in vol

    self.last = super(InteractiveSession, self).vol(*args, **kwargs)

  File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 154, in vol

    ui_renderer.start(plugin_name=result.name, kwargs=kwargs)

AttributeError: 'NoneType' object has no attribute 'name'

>>> 

 

Am I doing something brain-damaged?

                              Thanks

                                             John