Hi Folks,

               Sorry you only seem to hear from me about once a year, but I got fired up over Joe’s & Andrew’s Forensic Summit presentations and resolved to try out the new stuff in the Linux & Mac branches. Unfortunately I don’t seem to have gotten very far with it. I’ve got the scudette branch installed on a SIFT Kit VM, and have successfully used LiME to dump memory from it. I’ve also successfully created a profile for the SIFT Kit’s 2.6.31-23-generic kernel, using json I successfully dumped from module_dwarf.ko. I even tried the  live /dev/pmem  memory interface you get when you load up the pmem.ko module. When I attempt to run Volatility , here’s what happens…

 

 

root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py

 

The Volatility Memory Forensic Framework technology preview (3.0_tp1).

 

NOTE: This is pre-release software and is provided for evauation only. Please

check at http://volatility.googlecode.com/ for officially supported versions.

 

This program is free software; you can redistribute it and/or modify it under

the terms of the GNU General Public License.

 

>>> session.filename = "/dev/pmem"

>>> session.profile_file = "myprofile.zip"

>>> session.profile = "Linux32"

>>> vol (plugins.pslist)

ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer

ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer

ERROR:root:Failed running plugin pslist: kernel_address_space not specified.

ERROR:root:Error: 'NoneType' object has no attribute 'name'

Traceback (most recent call last):

  File "<console>", line 1, in <module>

  File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 292, in vol

    self.last = super(InteractiveSession, self).vol(*args, **kwargs)

  File "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py", line 154, in vol

    ui_renderer.start(plugin_name=result.name, kwargs=kwargs)

AttributeError: 'NoneType' object has no attribute 'name'

>>> 

 

Am I doing something brain-damaged?

                              Thanks

                                             John