A review of the Linux-capable version of volatility doesn't seem to
indicate any option of performing a keyword search of captured memory.
Is this correct?
Also, I don't recall seeing an option in pmem.ko for capturing
virtual/shared memory versus physical memory. Am I missing
something?
Thanks.
Scott
Through some more research and several email responses, I discovered
the following:
I needed to create a profile and compile the volatility-2.2/tools/linux modules:
http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
but first, using Ubuntu that I had, needed to fix a known bug -
http://code.google.com/p/volatility/issues/detail?id=351
Once that compiled and I followed the rest of the steps for a
Linux-specific profile, magical results with no limitations.
Thanks to all.
Scott
My final assignment for a digital forensics class has me exploring the
capabilities of Volatility for memory review of a Linux system.
I have since learned about lime (Linux Memory Extractor) and about
Volatility's own kernel module, pmem.ko, which appears to provide
faster memory capture than lime.
The assignment initially had us visiting volatilityfoundation.org web page
which only had through version 2.1. Additional searching revealed
active work on code.google.com, which also says linux support is part
of 2.2.
So, I obtained version 2.2, and am getting very mixed results.
I am using an out-of-box version of Ubuntu 10.04 32-bit with some
updates to bring python up-to-date in a VMware Player 4.0.4 VM.
In my trials thus far, I can get some results from: python ./vol.py
connscan -f /path/to/memory.img
I've pretty much gone through many of the options provided by python
./vol.py -h and usually end up with the error:
"No suitable address space mapping found
Tried to open image as:"
Various google searches, and in reading the volatility page, really
seems to indicate the code is still very Windows-oriented.
Am I missing something? I'd like to get some decent results, if possible.
I also tried an svn update, but that most recent version yielded an
immediate python error on vol.py.
Thanks for any insights.
Scott
Hi I am currently using volatility to retrieve truecrypt keys stored in
memory, by accessing a ram dump. Can you please help me out on how to map
the exact location of keys using volatility as i am able to list the
process running while the image was taken, and hence forth i am not able to
narrow down my search criteria , please help me out.
Thank you
Thilaknath
Hello,
We are writing to announce the public offering of our Windows Memory
Forensics for Analysts training course. This course is taught directly by
Volatility developers, and will provide intense training in memory
forensics for incident response, malware analysis, and digital forensic
investigation. Full details can be found here:
http://volatility-labs.blogspot.com/2012/11/windows-memory-forensics-traini…
Please write or comment on the post if you have any questions or comments.
Thanks,
Andrew (@attrc)
