Re: [Vol-dev] Problem with Linux Volatility
10 Aug
2012
10 Aug
'12
1:51 p.m.
Hi John,
Sorry to not respond earlier but was busy at dfrws. From your paste it
looks like you are using the technology preview and not the Linux
branch. Admittedly I have not focused on Linux very much so linux is
probably less supported in this branch at the momem.
You should just type pslist rather than using the vol helper directly.
See the tutorial materials at
http://tinyurl.com/DFRWS-2012-Memory-Forensics
But you probably should do something like:
python vol.py --profile Linux32 --profile_file "myprofile.zip" -f
"/dev/pmem"
In [1]: pslist
Michael.
On Aug 7, 2012 9:12 PM, "McCash John-GKJN37"
<john.mccash(a)motorolasolutions.com> wrote:
Hi Folks,
Sorry you only seem to hear from me about once a year, but I got fired up
over Joe’s & Andrew’s Forensic Summit presentations and resolved to try out the new
stuff in the Linux & Mac branches. Unfortunately I don’t seem to have gotten very far
with it. I’ve got the scudette branch installed on a SIFT Kit VM, and have successfully
used LiME to dump memory from it. I’ve also successfully created a profile for the SIFT
Kit’s 2.6.31-23-generic kernel, using json I successfully dumped from module_dwarf.ko. I
even tried the live /dev/pmem memory interface you get when you load up the pmem.ko
module. When I attempt to run Volatility , here’s what happens…
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only. Please
check at http://volatility.googlecode.com/ for officially supported versions.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev