11:47 a.m.
Response anyone? I can't believe this would really be this broken, so I have to be
doing something wrong (or maybe not... see below). I first tried this with r2149, and have
checked a couple of the more recent updates, I but get the same result. Are the
wiki<http://code.google.com/p/volatility/wiki/LinuxMemoryForensics> instructions
I'm following maybe out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing; Is it because
I'm running volatility on a 32bit system, or because I'm trying to analyze a dump
from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year, but I got fired up
over Joe's & Andrew's Forensic Summit presentations and resolved to try out
the new stuff in the Linux & Mac branches. Unfortunately I don't seem to have
gotten very far with it. I've got the scudette branch installed on a SIFT Kit VM, and
have successfully used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I successfully dumped
from module_dwarf.ko. I even tried the live /dev/pmem memory interface you get when you
load up the pmem.ko module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only. Please
check at http://volatility.googlecode.com/ for officially supported versions.
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John
11:58 a.m.
New subject: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's
branch? I think the wiki might need to be updated as well.
(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37
<john.mccash(a)motorolasolutions.com> wrote:
Response anyone? I can’t believe this would really be
this broken, so I have
to be doing something wrong (or maybe not… see below). I first tried this
with r2149, and have checked a couple of the more recent updates, I but get
the same result. Are the wiki instructions I’m following maybe out-of-date?
Looking further, I tried this with –dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I’m seeing; Is it
because I’m running volatility on a 32bit system, or because I’m trying to
analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year, but I
got fired up over Joe’s & Andrew’s Forensic Summit presentations and
resolved to try out the new stuff in the Linux & Mac branches. Unfortunately
I don’t seem to have gotten very far with it. I’ve got the scudette branch
installed on a SIFT Kit VM, and have successfully used LiME to dump memory
from it. I’ve also successfully created a profile for the SIFT Kit’s
2.6.31-23-generic kernel, using json I successfully dumped from
module_dwarf.ko. I even tried the live /dev/pmem memory interface you get
when you load up the pmem.ko module. When I attempt to run Volatility ,
here’s what happens…
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only.
Please
check at http://volatility.googlecode.com/ for officially supported
versions.
This program is free software; you can redistribute it and/or modify it
under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4:01 p.m.
New subject: Problem with Linux Volatility
Jamie,
I can't get the linux-trunk branch to work with a LiME dump or /dev/pmem either. It
also looks somewhat different. There, I'm not even sure how to specify the profile
file, and rather than Linux32 or Linux64 profiles, the only one that seems to be defined
is AbstractLinuxProfile. I even tried dropping in my zipped profile file to replace the
existing Debian2632.zip, but that didn't help either. Maybe I'm just not cut out
for using prerelease software and should sit back and wait for the 2.2 release candidate.
Thanks
John
-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev(a)volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's branch?
I think the wiki might need to be updated as well.
(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37
<john.mccash(a)motorolasolutions.com> wrote:
Response anyone? I can't believe this would really
be this broken, so
I have to be doing something wrong (or maybe not... see below). I first
tried this with r2149, and have checked a couple of the more recent
updates, I but get the same result. Are the wiki instructions I'm following maybe
out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing;
Is it because I'm running volatility on a 32bit system, or because I'm
trying to analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year,
but I got fired up over Joe's & Andrew's Forensic Summit presentations
and resolved to try out the new stuff in the Linux & Mac branches.
Unfortunately I don't seem to have gotten very far with it. I've got
the scudette branch installed on a SIFT Kit VM, and have successfully
used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
successfully dumped from module_dwarf.ko. I even tried the live
/dev/pmem memory interface you get when you load up the pmem.ko
module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only.
Please
check at http://volatility.googlecode.com/ for officially supported
versions.
This program is free software; you can redistribute it and/or modify
it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4:10 p.m.
New subject: Problem with Linux Volatility
Hey John,
Sorry for the delayed response. I'm just getting back from DFRWS.
The linux-trunk version works fine. Just remember there are different
commands associated with Linux images than there are for windows. Do
something like python vol.py --info and it'll give you a list of available
profiles (generated from the zip you put in the overlays folder).
then do: python vol.py --profile=Linuxwhatever -f ../file.lime -h
This will list commands you can run on the images. They'll be like
linux_pslist instead of pslist for example.
Hope this helps.
--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/
On Fri, Aug 10, 2012 at 3:01 PM, McCash John-GKJN37 <
john.mccash(a)motorolasolutions.com> wrote:
Jamie,
I can't get the linux-trunk branch to work with a LiME dump or
/dev/pmem either. It also looks somewhat different. There, I'm not even
sure how to specify the profile file, and rather than Linux32 or Linux64
profiles, the only one that seems to be defined is AbstractLinuxProfile. I
even tried dropping in my zipped profile file to replace the existing
Debian2632.zip, but that didn't help either. Maybe I'm just not cut out for
using prerelease software and should sit back and wait for the 2.2 release
candidate.
Thanks
John
-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev(a)volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's
branch? I think the wiki might need to be updated as well.
(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37 <
john.mccash(a)motorolasolutions.com> wrote:
Response anyone? I can't believe this would
really be this broken, so
I have to be doing something wrong (or maybe not... see below). I first
tried this with r2149, and have checked a couple of the more recent
updates, I but get the same result. Are the wiki instructions I'm
following
maybe out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
specified.
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing;
Is it because I'm running volatility on a 32bit system, or because I'm
trying to analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year,
but I got fired up over Joe's & Andrew's Forensic Summit presentations
and resolved to try out the new stuff in the Linux & Mac branches.
Unfortunately I don't seem to have gotten very far with it. I've got
the scudette branch installed on a SIFT Kit VM, and have successfully
used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
successfully dumped from module_dwarf.ko. I even tried the live
/dev/pmem memory interface you get when you load up the pmem.ko
module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only.
Please
check at http://volatility.googlecode.com/ for officially supported
versions.
This program is free software; you can redistribute it and/or modify
it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4:26 p.m.
New subject: Problem with Linux Volatility
Joe,
How did I manage to miss the -info option? <face-slap> In any case, I
just tried that (with the only linux profile listed by -info, Linuxold_Debian2632x86) ,
and it gives me:
root@SIFT-Workstation:~/Desktop/linux_Volatility/linux-trunk# python ./vol.py -f /dev/pmem
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
ArmAddressSpace: No base Address Space
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
ArmAddressSpace: No valid DTB found
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thoughts?
John
From: Joe Sylve [mailto:joe.sylve@gmail.com]
Sent: Friday, August 10, 2012 3:10 PM
To: McCash John-GKJN37
Cc: Jamie Levy; vol-dev(a)volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Hey John,
Sorry for the delayed response. I'm just getting back from DFRWS.
The linux-trunk version works fine. Just remember there are different commands associated
with Linux images than there are for windows. Do something like python vol.py --info and
it'll give you a list of available profiles (generated from the zip you put in the
overlays folder).
then do: python vol.py --profile=Linuxwhatever -f ../file.lime -h
This will list commands you can run on the images. They'll be like linux_pslist
instead of pslist for example.
Hope this helps.
--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/
On Fri, Aug 10, 2012 at 3:01 PM, McCash John-GKJN37
<john.mccash@motorolasolutions.com<mailto:john.mccash@motorolasolutions.com>>
wrote:
Jamie,
I can't get the linux-trunk branch to work with a LiME dump or /dev/pmem
either. It also looks somewhat different. There, I'm not even sure how to specify the
profile file, and rather than Linux32 or Linux64 profiles, the only one that seems to be
defined is AbstractLinuxProfile. I even tried dropping in my zipped profile file to
replace the existing Debian2632.zip, but that didn't help either. Maybe I'm just
not cut out for using prerelease software and should sit back and wait for the 2.2 release
candidate.
Thanks
John
-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com<mailto:jamie.levy@gmail.com>]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev@volatilityfoundation.org<mailto:vol-dev@volatilityfoundation.org>
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's branch?
I think the wiki might need to be updated as well.
(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37
<john.mccash@motorolasolutions.com<mailto:john.mccash@motorolasolutions.com>>
wrote:
Response anyone? I can't believe this would really
be this broken, so
I have to be doing something wrong (or maybe not... see below). I first
tried this with r2149, and have checked a couple of the more recent
updates, I but get the same result. Are the wiki instructions I'm following maybe
out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org<mailto:Vol-dev@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing;
Is it because I'm running volatility on a 32bit system, or because I'm
trying to analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To:
'vol-dev@volatilityfoundation.org<mailto:vol-dev@volatilityfoundation.org>'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year,
but I got fired up over Joe's & Andrew's Forensic Summit presentations
and resolved to try out the new stuff in the Linux & Mac branches.
Unfortunately I don't seem to have gotten very far with it. I've got
the scudette branch installed on a SIFT Kit VM, and have successfully
used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
successfully dumped from module_dwarf.ko. I even tried the live
/dev/pmem memory interface you get when you load up the pmem.ko
module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only.
Please
check at http://volatility.googlecode.com/ for officially supported
versions.
This program is free software; you can redistribute it and/or modify
it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name<http://result.name>, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org<mailto:Vol-dev@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4:32 p.m.
New subject: Problem with Linux Volatility
The debian one is a just a sample profile for a specific version of debian.
To make one for the image you are analyzing, you will need to be able to
compile a kernel module against it (which most distros provided the
packages for).
I am integrating a new way of handling the profiles into linux-trunk this
weekend/early next week and after that I will write up instructions on how
to use it, so if you can wait a few more days then you will be using the
latest code :)
On Fri, Aug 10, 2012 at 3:26 PM, McCash John-GKJN37 <
john.mccash(a)motorolasolutions.com> wrote:
Joe,****
How did I manage to miss the –info option? <face-slap> In
any case, I just tried that (with the only linux profile listed by –info,
Linuxold_Debian2632x86) , and it gives me:****
** **
root@SIFT-Workstation:~/Desktop/linux_Volatility/linux-trunk# python
./vol.py -f /dev/pmem linux_pslist****
Volatile Systems Volatility Framework 2.2_alpha****
No suitable address space mapping found****
Tried to open image as:****
LimeAddressSpace: lime: need base****
ArmAddressSpace: No base Address Space****
WindowsHiberFileSpace32: No base Address Space****
WindowsCrashDumpSpace64: No base Address Space****
WindowsCrashDumpSpace32: No base Address Space****
AMD64PagedMemory: No base Address Space****
JKIA32PagedMemory: No base Address Space****
JKIA32PagedMemoryPae: No base Address Space****
IA32PagedMemoryPae: Module disabled****
IA32PagedMemory: Module disabled****
LimeAddressSpace: Invalid Lime header signature****
ArmAddressSpace: No valid DTB found****
WindowsHiberFileSpace32: No xpress signature found****
WindowsCrashDumpSpace64: Header signature invalid****
WindowsCrashDumpSpace32: Header signature invalid****
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected****
JKIA32PagedMemory: No valid DTB found****
JKIA32PagedMemoryPae: No valid DTB found****
IA32PagedMemoryPae: Module disabled****
IA32PagedMemory: Module disabled****
FileAddressSpace: Must be first Address Space****
** **
Thoughts?****
John****
** **
** **
** **
** **
*From:* Joe Sylve [mailto:joe.sylve@gmail.com]
*Sent:* Friday, August 10, 2012 3:10 PM
*To:* McCash John-GKJN37
*Cc:* Jamie Levy; vol-dev(a)volatilityfoundation.org
*Subject:* Re: [Vol-dev] RE: Problem with Linux Volatility****
** **
Hey John,****
** **
Sorry for the delayed response. I'm just getting back from DFRWS.****
** **
The linux-trunk version works fine. Just remember there are different
commands associated with Linux images than there are for windows. Do
something like python vol.py --info and it'll give you a list of available
profiles (generated from the zip you put in the overlays folder).****
** **
then do: python vol.py --profile=Linuxwhatever -f ../file.lime -h****
** **
This will list commands you can run on the images. They'll be like
linux_pslist instead of pslist for example.****
** **
Hope this helps.****
--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/****
** **
** **
On Fri, Aug 10, 2012 at 3:01 PM, McCash John-GKJN37 <
john.mccash(a)motorolasolutions.com> wrote:****
Jamie,
I can't get the linux-trunk branch to work with a LiME dump or
/dev/pmem either. It also looks somewhat different. There, I'm not even
sure how to specify the profile file, and rather than Linux32 or Linux64
profiles, the only one that seems to be defined is AbstractLinuxProfile. I
even tried dropping in my zipped profile file to replace the existing
Debian2632.zip, but that didn't help either. Maybe I'm just not cut out for
using prerelease software and should sit back and wait for the 2.2 release
candidate.
Thanks
John****
-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev(a)volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's
branch? I think the wiki might need to be updated as well.
(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37 <
john.mccash(a)motorolasolutions.com> wrote:
Response anyone? I can't believe this would
really be this broken, so***
*
I have to be doing something wrong (or maybe
not... see below). I first*
***
tried this with r2149, and have checked a couple
of the more recent
updates, I but get the same result. Are the wiki instructions I'm
following
maybe out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing;
Is it because I'm running volatility on a 32bit system, or because I'm
trying to analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To: 'vol-dev(a)volatilityfoundation.org'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year,
but I got fired up over Joe's & Andrew's Forensic Summit presentations
and resolved to try out the new stuff in the Linux & Mac branches.
Unfortunately I don't seem to have gotten very far with it. I've got
the scudette branch installed on a SIFT Kit VM, and have successfully
used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
successfully dumped from module_dwarf.ko. I even tried the live
/dev/pmem memory interface you get when you load up the pmem.ko**** module. When I attempt to run Volatility ,
here's what happens...****
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only.
Please
check at http://volatility.googlecode.com/ for officially supported
versions.
This program is free software; you can redistribute it and/or modify
it under
the terms of the GNU General Public License.
specified.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev****
** **
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
5:04 p.m.
New subject: Problem with Linux Volatility
Andrew,
Thanks much. I guess I'll wait. I did make a credible effort by
actually replacing the Debian2632.zip in the volatility/plugins/overlays/linux folder with
a zip file containing System.map-2.6.31-23-generic and module.json, which I extracted
using dwarfparser.py from scudette's branch. I see that the linux-trunk doesn't
use .json in the profile, so I tried recreating the zip file using the instructions from
the linux-trunk tools/linux/README.txt file, and replaced it with that, no difference.
Volatility is awesome. Keep up the good work.
John
From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Friday, August 10, 2012 3:33 PM
To: McCash John-GKJN37
Cc: Joe Sylve; vol-dev(a)volatilityfoundation.org
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
The debian one is a just a sample profile for a specific version of debian. To make one
for the image you are analyzing, you will need to be able to compile a kernel module
against it (which most distros provided the packages for).
I am integrating a new way of handling the profiles into linux-trunk this weekend/early
next week and after that I will write up instructions on how to use it, so if you can wait
a few more days then you will be using the latest code :)
On Fri, Aug 10, 2012 at 3:26 PM, McCash John-GKJN37
<john.mccash@motorolasolutions.com<mailto:john.mccash@motorolasolutions.com>>
wrote:
Joe,
How did I manage to miss the -info option? <face-slap> In any case, I
just tried that (with the only linux profile listed by -info, Linuxold_Debian2632x86) ,
and it gives me:
root@SIFT-Workstation:~/Desktop/linux_Volatility/linux-trunk# python ./vol.py -f /dev/pmem
linux_pslist
Volatile Systems Volatility Framework 2.2_alpha
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
ArmAddressSpace: No base Address Space
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
ArmAddressSpace: No valid DTB found
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thoughts?
John
From: Joe Sylve [mailto:joe.sylve@gmail.com<mailto:joe.sylve@gmail.com>]
Sent: Friday, August 10, 2012 3:10 PM
To: McCash John-GKJN37
Cc: Jamie Levy;
vol-dev@volatilityfoundation.org<mailto:vol-dev@volatilesystems.com>
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Hey John,
Sorry for the delayed response. I'm just getting back from DFRWS.
The linux-trunk version works fine. Just remember there are different commands associated
with Linux images than there are for windows. Do something like python vol.py --info and
it'll give you a list of available profiles (generated from the zip you put in the
overlays folder).
then do: python vol.py --profile=Linuxwhatever -f ../file.lime -h
This will list commands you can run on the images. They'll be like linux_pslist
instead of pslist for example.
Hope this helps.
--
Joe Sylve, M.S.
Senior Security Researcher
GIAC Certified Forensics Analyst (GCFA)
Digital Forensics Solutions, LLC
http://www.digitalforensicssolutions.com/
On Fri, Aug 10, 2012 at 3:01 PM, McCash John-GKJN37
<john.mccash@motorolasolutions.com<mailto:john.mccash@motorolasolutions.com>>
wrote:
Jamie,
I can't get the linux-trunk branch to work with a LiME dump or /dev/pmem
either. It also looks somewhat different. There, I'm not even sure how to specify the
profile file, and rather than Linux32 or Linux64 profiles, the only one that seems to be
defined is AbstractLinuxProfile. I even tried dropping in my zipped profile file to
replace the existing Debian2632.zip, but that didn't help either. Maybe I'm just
not cut out for using prerelease software and should sit back and wait for the 2.2 release
candidate.
Thanks
John
-----Original Message-----
From: Jamie Levy [mailto:jamie.levy@gmail.com<mailto:jamie.levy@gmail.com>]
Sent: Friday, August 10, 2012 10:58 AM
To: McCash John-GKJN37
Cc: vol-dev@volatilityfoundation.org<mailto:vol-dev@volatilityfoundation.org>
Subject: Re: [Vol-dev] RE: Problem with Linux Volatility
Have you tried using the "linux-trunk" branch instead of scudette's branch?
I think the wiki might need to be updated as well.
(svn checkout https://volatility.googlecode.com/svn/branches/linux-trunk
linux-trunk)
On Fri, Aug 10, 2012 at 11:47 AM, McCash John-GKJN37
<john.mccash@motorolasolutions.com<mailto:john.mccash@motorolasolutions.com>>
wrote:
Response anyone? I can't believe this would really
be this broken, so
I have to be doing something wrong (or maybe not... see below). I first
tried this with r2149, and have checked a couple of the more recent
updates, I but get the same result. Are the wiki instructions I'm following maybe
out-of-date?
Looking further, I tried this with -dubug, and got:
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org<mailto:Vol-dev@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org<mailto:Vol-dev@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/plugins/addrspaces/mmap_address_space.py(67)__init__()
-> access=mmap.ACCESS_READ)
Then looked at line 67 in mmap_address_space.py, and see:
# On 64 bit architectures we can just map the entire image
# into our process. TODO(scudette): Try to make this work on
# 32 bit systems by segmenting into several smallish maps.
self.map = mmap.mmap(self.fhandle.fileno(), self.fsize,
access=mmap.ACCESS_READ)
So, assuming the above TODO comment related to the issue I'm seeing;
Is it because I'm running volatility on a 32bit system, or because I'm
trying to analyze a dump from a 32bit system?
Thanks
John
From: McCash John-GKJN37
Sent: Tuesday, August 07, 2012 2:12 PM
To:
'vol-dev@volatilityfoundation.org<mailto:vol-dev@volatilityfoundation.org>'
Subject: Problem with Linux Volatility
Hi Folks,
Sorry you only seem to hear from me about once a year,
but I got fired up over Joe's & Andrew's Forensic Summit presentations
and resolved to try out the new stuff in the Linux & Mac branches.
Unfortunately I don't seem to have gotten very far with it. I've got
the scudette branch installed on a SIFT Kit VM, and have successfully
used LiME to dump memory from it. I've also successfully created a
profile for the SIFT Kit's 2.6.31-23-generic kernel, using json I
successfully dumped from module_dwarf.ko. I even tried the live
/dev/pmem memory interface you get when you load up the pmem.ko
module. When I attempt to run Volatility , here's what happens...
root@SIFT-Workstation:~/Desktop/linux_Volatility/lin64-support# python
vol.py
The Volatility Memory Forensic Framework technology preview (3.0_tp1).
NOTE: This is pre-release software and is provided for evauation only.
Please
check at http://volatility.googlecode.com/ for officially supported
versions.
This program is free software; you can redistribute it and/or modify
it under
the terms of the GNU General Public License.
>> session.filename = "/dev/pmem"
>> session.profile_file =
"myprofile.zip"
>> session.profile = "Linux32"
>> vol (plugins.pslist)
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Fatal Error: cannot fit 'long' into an index-sized integer
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
ERROR:root:Error: 'NoneType' object has no attribute 'name'
Traceback (most recent call last):
File "<console>", line 1, in <module>
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 292, in vol
self.last = super(InteractiveSession, self).vol(*args, **kwargs)
File
"/home/sansforensics/Desktop/linux_Volatility/lin64-support/volatility
/session.py",
line 154, in vol
ui_renderer.start(plugin_name=result.name<http://result.name>, kwargs=kwargs)
AttributeError: 'NoneType' object has no attribute 'name'
>>
Am I doing something brain-damaged?
Thanks
John
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org<mailto:Vol-dev@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4:58 p.m.
New subject: Problem with Linux Volatility
Hi John,
So the instructions for making a Linux profile using the current
linux-trunk branch are as follows:
* Firstly, either get a copy of the kernel with debugging symbols, or
compile module.c from the tools/linux directory (a makefile is provided).
* Once you have the compiled vmlinuz or module.ko file, create a dwarf
output file as follows with "dwarfdump -di vmlinux > output.dwarf" or
"dwarfdump -di module.ko > output.dwarf" (the module version will be a
lot smaller, but still contains all the necessary debugging information
for volatility).
* You'll also need the System.map for the kernel you're working with.
Create a zipfile with the module.dwarf and the System.map file in the
top level, and name that something like Distro.zip.
* Place Distro.zip in a volatility plugin directory, and run vol.py
--info again to ensure it's picked up.
These instructions are also available at [1]. Do please ask again if
you have any problems with the linux-trunk branch, or the main trunk
once the branch has been merged into trunk (which should be soon)...
Mike 5:)
[1]
http://code.google.com/p/volatility/source/browse/branches/linux-trunk/tool…
4432
days inactive
4432
days old
vol-dev@lists.volatilityfoundation.org
7 comments
5 participants
participants (5)
-
Andrew Case -
Jamie Levy -
Joe Sylve -
McCash John-GKJN37 -
Mike Auty