Andrew,

               Thanks much. I guess I’ll wait. I did make a credible effort by actually replacing the Debian2632.zip in the volatility/plugins/overlays/linux folder with a zip file containing System.map-2.6.31-23-generic and module.json, which I extracted using dwarfparser.py from scudette’s branch. I see that the linux-trunk doesn’t use .json in the profile, so I tried recreating the zip file using the instructions from the linux-trunk tools/linux/README.txt file, and replaced it with that, no difference.

                              Volatility is awesome. Keep up the good work.

                                             John

 

From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Friday, August 10, 2012 3:33 PM
To: McCash John-GKJN37
Cc: Joe Sylve; vol-dev@volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility

 

The debian one is a just a sample profile for a specific version of debian. To make one for the image you are analyzing, you will need to be able to compile a kernel module against it (which most distros provided the packages for).

I am integrating a new way of handling the profiles into linux-trunk this weekend/early next week and after that I will write up instructions on how to use it, so if you can wait a few more days then you will be using the latest code :)

On Fri, Aug 10, 2012 at 3:26 PM, McCash John-GKJN37 <john.mccash@motorolasolutions.com> wrote:

Joe,

               How did I manage to miss the –info option? <face-slap> In any case, I just tried that (with the only linux profile listed by –info, Linuxold_Debian2632x86) , and it gives me:

 

root@SIFT-Workstation:~/Desktop/linux_Volatility/linux-trunk# python ./vol.py -f /dev/pmem  linux_pslist

Volatile Systems Volatility Framework 2.2_alpha

No suitable address space mapping found

Tried to open image as:

LimeAddressSpace: lime: need base

ArmAddressSpace: No base Address Space

WindowsHiberFileSpace32: No base Address Space

WindowsCrashDumpSpace64: No base Address Space

WindowsCrashDumpSpace32: No base Address Space

AMD64PagedMemory: No base Address Space

JKIA32PagedMemory: No base Address Space

JKIA32PagedMemoryPae: No base Address Space

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

LimeAddressSpace: Invalid Lime header signature

ArmAddressSpace: No valid DTB found

WindowsHiberFileSpace32: No xpress signature found

WindowsCrashDumpSpace64: Header signature invalid

WindowsCrashDumpSpace32: Header signature invalid

AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected

JKIA32PagedMemory: No valid DTB found

JKIA32PagedMemoryPae: No valid DTB found

IA32PagedMemoryPae: Module disabled

IA32PagedMemory: Module disabled

FileAddressSpace: Must be first Address Space

 

Thoughts?

               John

 

 

 

 

From: Joe Sylve [mailto:joe.sylve@gmail.com]
Sent: Friday, August 10, 2012 3:10 PM
To: McCash John-GKJN37
Cc: Jamie Levy; vol-dev@volatilityfoundation.org


Subject: Re: [Vol-dev] RE: Problem with Linux Volatility

 

Hey John,

 

Sorry for the delayed response.  I'm just getting back from DFRWS.

 

The linux-trunk version works fine.  Just remember there are different commands associated with Linux images than there are for windows.  Do something like python vol.py --info and it'll give you a list of available profiles (generated from the zip you put in the overlays folder).

 

then do: python vol.py --profile=Linuxwhatever -f ../file.lime -h

 

This will list commands you can run on the images.  They'll be like linux_pslist instead of pslist for example.

 

Hope this helps.


--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/

 

 

On Fri, Aug 10, 2012 at 3:01 PM, McCash John-GKJN37 <john.mccash@motorolasolutions.com> wrote:

Jamie,
        I can't get the linux-trunk branch to work with a LiME dump or /dev/pmem either. It also looks somewhat different. There, I'm not even sure how to specify the profile file, and rather than Linux32 or Linux64 profiles, the only one that seems to be defined is AbstractLinuxProfile. I even tried dropping in my zipped profile file to replace the existing Debian2632.zip, but that didn't help either. Maybe I'm just not cut out for using prerelease software and should sit back and wait for the 2.2 release candidate.
                Thanks
                        John


-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev@volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility

Have you tried using the "linux-trunk" branch instead of scudette's branch?  I think the wiki might need to be updated as well.

(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
 linux-trunk)



On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37 <john.mccash@motorolasolutions.com> wrote:
> Response anyone? I can't believe this would really be this broken, so

> I have to be doing something wrong (or maybe not... see below). I first

> tried this with r2149, and have checked a couple of the more recent
> updates, I but get the same result. Are the wiki instructions I'm following maybe out-of-date?
>
>
>
>
>
> Looking further, I tried this with -dubug, and got:
>
>
>
> ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
>
>>
>> /home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
>> /plugins/addrspaces/mmap_address_space.py(67)__init__()
>
> -> access=mmap.ACCESS_READ)
>
>
>
> Then looked at line 67 in mmap_address_space.py, and see:
>
>
>
> # On 64 bit architectures we can just map the entire image
>
> # into our process. TODO(scudette): Try to make this work on
>
> # 32 bit systems by segmenting into several smallish maps.
>
> self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
>
>                      access=mmap.ACCESS_READ)
>
>
>
> So, assuming the above TODO comment related to the issue I'm seeing;
> Is it because I'm running volatility on a 32bit system, or because I'm
> trying to analyze a dump from a 32bit system?
>
>                               Thanks
>
>                                              John
>
>
>
> From: McCash John-GKJN37
> Sent: Tuesday, August 07, 2012 2:12 PM
> To: 'vol-dev@volatilityfoundation.org'
> Subject: Problem with Linux Volatility
>
>
>
> Hi Folks,
>
>                Sorry you only seem to hear from me about once a year,
> but I got fired up over Joe's & Andrew's Forensic Summit presentations
> and resolved to try out the new stuff in the Linux & Mac branches.
> Unfortunately I don't seem to have gotten very far with it. I've got
> the scudette branch installed on a SIFT Kit VM, and have successfully
> used LiME to dump memory from it. I've also successfully created a
> profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
> successfully dumped from module_dwarf.ko. I even tried the  live
> /dev/pmem  memory interface you get when you load up the pmem.ko

> module. When I attempt to run Volatility , here's what happens...

>
>
>
>
>
> root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
> vol.py
>
>
>
> The Volatility Memory Forensic Framework technology preview (3.0_tp1).
>
>
>
> NOTE: This is pre-release software and is provided for evauation only.
> Please
>
> check at http://volatility.googlecode.com/ for officially supported
> versions.
>
>
>
> This program is free software; you can redistribute it and/or modify
> it under
>
> the terms of the GNU General Public License.
>
>
>
>>>> session.filename = "/dev/pmem"
>
>>>> session.profile_file = "myprofile.zip"
>
>>>> session.profile = "Linux32"
>
>>>> vol (plugins.pslist)
>
> ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
>
> ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
>
> ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
>
> ERROR:root:Error: 'NoneType' object has no attribute 'name'
>
> Traceback (most recent call last):
>
>   File "<console>", line 1, in <module>
>
>   File
> "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
> /session.py",
> line 292, in vol
>
>     self.last = super(InteractiveSession, self).vol(*args, **kwargs)
>
>   File
> "/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
> /session.py",
> line 154, in vol
>
>     ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
>
> AttributeError: 'NoneType' object has no attribute 'name'
>
>>>>
>
>
>
> Am I doing something brain-damaged?
>
>                               Thanks
>
>                                              John
>
>
>
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>



--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92





_______________________________________________
Vol-dev mailing list
Vol-dev@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev

 


_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev