Andrew,
Thanks much. I guess I’ll wait. I did make a credible effort by actually replacing the Debian2632.zip in the volatility/plugins/overlays/linux
folder with a zip file containing System.map-2.6.31-23-generic and module.json, which I extracted using dwarfparser.py from scudette’s branch. I see that the linux-trunk doesn’t use .json in the profile, so I tried recreating the zip file using the instructions
from the linux-trunk tools/linux/README.txt file, and replaced it with that, no difference.
Volatility is awesome. Keep up the good work.
John
From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Friday, August 10, 2012 3:33 PM
To: McCash John-GKJN37
Cc: Joe Sylve; vol-dev@volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
The debian one is a just a sample profile for a specific version of debian. To make one for the image you are analyzing, you will need to be able to compile a kernel module against it (which most distros provided
the packages for).
I am integrating a new way of handling the profiles into linux-trunk this weekend/early next week and after that I will write up instructions on how to use it, so if you can wait a few more days then you will be using the latest code :)
On Fri, Aug 10, 2012 at 3:26 PM, McCash John-GKJN37 <john.mccash@motorolasolutions.com> wrote:
Joe,
How did I manage to miss the –info option? <face-slap> In any case, I just tried that
(with the only linux profile listed by –info, Linuxold_Debian2632x86) , and it gives me:
root@SIFT-Workstation:~/Desktop/linux_Volatility/linux-trunk# python ./vol.py -f /dev/pmem linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
ArmAddressSpace: No base Address Space
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
ArmAddressSpace: No valid DTB found
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thoughts?
John
From: Joe Sylve [mailto:joe.sylve@gmail.com]
Sent: Friday, August 10, 2012 3:10 PM
To: McCash John-GKJN37
Cc: Jamie Levy;
vol-dev@volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Hey John,
Sorry for the delayed response. I'm just getting back from DFRWS.
The linux-trunk version works fine. Just remember there are different commands associated with Linux images than there are for windows. Do something like python vol.py --info and
it'll give you a list of available profiles (generated from the zip you put in the overlays folder).
then do: python vol.py --profile=Linuxwhatever -f ../file.lime -h
This will list commands you can run on the images. They'll be like linux_pslist instead of pslist for example.
Hope this helps.
--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/
On Fri, Aug 10, 2012 at 3:01 PM, McCash John-GKJN37 <john.mccash@motorolasolutions.com> wrote:
Jamie,
I can't get the linux-trunk branch to work with a LiME dump or /dev/pmem either. It also looks somewhat different. There, I'm not even sure how to specify the profile file, and rather than Linux32 or Linux64 profiles, the only one that seems to be defined
is AbstractLinuxProfile. I even tried dropping in my zipped profile file to replace the existing Debian2632.zip, but that didn't help either. Maybe I'm just not cut out for using prerelease software and should sit back and wait for the 2.2 release candidate.
Thanks
John
-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev@volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's branch? I think the wiki might need to be updated as well.
(svn checkout
https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37 <john.mccash@motorolasolutions.com> wrote:
> Response anyone? I can't believe this would really be this broken, so
> I have to be doing something wrong (or maybe not... see below). I first
> tried this with r2149, and have checked a couple of the more recent
> updates, I but get the same result. Are the wiki instructions I'm following maybe out-of-date?
>
>
>
>
>
> Looking further, I tried this with -dubug, and got:
>
>
>
> ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
>
>>
>> /home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
>> /plugins/addrspaces/mmap_address_space.py(67)__init__()
>
> -> access=mmap.ACCESS_READ)
>
>
>
> Then looked at line 67 in mmap_address_space.py, and see:
>
>
>
> # On 64 bit architectures we can just map the entire image
>
> # into our process. TODO(scudette): Try to make this work on
>
> # 32 bit systems by segmenting into several smallish maps.
>
> self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
>
> access=mmap.ACCESS_READ)
>
>
>
> So, assuming the above TODO comment related to the issue I'm seeing;
> Is it because I'm running volatility on a 32bit system, or because I'm
> trying to analyze a dump from a 32bit system?
>
> Thanks
>
> John
>
>
>
> From: McCash John-GKJN37
> Sent: Tuesday, August 07, 2012 2:12 PM
> To: 'vol-dev@volatilityfoundation.org'
> Subject: Problem with Linux Volatility
>
>
>
> Hi Folks,
>
> Sorry you only seem to hear from me about once a year,
> but I got fired up over Joe's & Andrew's Forensic Summit presentations
> and resolved to try out the new stuff in the Linux & Mac branches.
> Unfortunately I don't seem to have gotten very far with it. I've got
> the scudette branch installed on a SIFT Kit VM, and have successfully
> used LiME to dump memory from it. I've also successfully created a
> profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
> successfully dumped from module_dwarf.ko. I even tried the live
> /dev/pmem memory interface you get when you load up the pmem.ko
> module. When I attempt to run Volatility , here's what happens...
>
>
>
>
>
> root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
> vol.py
>
>
>
> The Volatility Memory Forensic Framework technology preview (3.0_tp1).
>
>
>
> NOTE: This is pre-release software and is provided for evauation only.
> Please
>
> check at http://volatility.googlecode.com/ for officially supported
> versions.
>
>
>
> This program is free software; you can redistribute it and/or modify
> it under
>
> the terms of the GNU General Public License.
>
>
>
>>>> session.filename = "/dev/pmem"
>
>>>> session.profile_file = "myprofile.zip"
>
>>>> session.profile = "Linux32"
>
>>>> vol (plugins.pslist)
>
> ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
>
> ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
>
> ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
>
> ERROR:root:Error: 'NoneType' object has no attribute 'name'
>
> Traceback (most recent call last):
>
> File "<console>", line 1, in <module>
>
> File
> "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
> /session.py",
> line 292, in vol
>
> self.last = super(InteractiveSession, self).vol(*args, **kwargs)
>
> File
> "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
> /session.py",
> line 154, in vol
>
> ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
>
> AttributeError: 'NoneType' object has no attribute 'name'
>
>>>>
>
>
>
> Am I doing something brain-damaged?
>
> Thanks
>
> John
>
>
>
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev@volatilityfoundation.org
>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev