I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
--
chort
Oh, also if you copied the ethscan plugin to your volatility/plugins directory, don't use the --plugins option
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Hey Gang
I'm a total noob with eForensics so I'm on the learning curve. I can get volitility to work on Windows memory images but not with Mac memory images. I've downloaded the Mac profiles, unzipped it and moves the files to the location indicated in the article, but when I run the info command the profiles aren't listed. Is there another step in the enable process?
TIA
Marty
Sent from my iPad
Type at the prompt:
sudo make clean
and try again
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Try:
sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
First: --plugins takes in either a directory or a zipfile, not a plugin
Second: You didn't specify which plugin to run (ethscan)
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 10:41:47
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Sorry I had a typo i didn´t write --profile=Win7SP1x64
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
I have the same error of ever :(
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
Thanks!!
El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
> Hi @Jamie and list
>
> Thanks very much for your support ;)
>
> I’ve same errors when i’m executing: :(
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>
> The error:
>
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
>
> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>
> On the other hand, i found a brief tutorial about ethscan:
>
> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>
> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>
> The execution of the vol.py command is different……. :(
>
> He does not the flag —-plugin=
>
> Thanks for all!!
>
> Ps: My apologies for my level of english
>
>
> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>
>> Hi David,
>>
>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>
>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>
>> Let me know if you have any other questions.
>>
>> All the best,
>>
>> -gleeda
>>
>>
>>
>>
>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>> Hello list,
>>
>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>
>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>
>> The plugin that I want for add/use is:
>>
>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>
>> Thanks for your support!!
>>
>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
Hello All,
I'm new to Volatility.
Say I found the string "password=hello world" somewhere in the memory, is
there anyway for me to know which process that memory block is currently
allocated to?
--
matt
Hello list,
Please, I need some help about for add/use new plugins in volatility 2.3.1.
Can I use the flag "--plugins=contrib/plugins"? o is there any method?
The plugin that I want for add/use is:
https://code.google.com/p/jamaal-re-tools/source/checkout
Thanks for your support!!
Hi,
I am using winpmem 1.3.1 for imaging in volatility but whenever I tried to use any of feature of winpmem it gives
error: "Cannot open SCM? Are you administrator"
Where as I don't have any administrative passwords... So how can I solve this issue...???
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
As we previously sent to the list, the Volatility team will be holding
training sessions in San Diego in January and London in June:
http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi…
We have now also finalized plans for a training in NYC in May:
http://volatility-labs.blogspot.com/2013/10/2014-malware-and-memory-forensi…
These will be the only public trainings through August of next year,
and we have already received substantial interest in each one. If you
plan to attend do not wait until the last minute to contact us as for
our last several trainings we have had to turn away people once the
classroom fills. If your company is interested in a private training
or hosting a public training in exchange for a few free seats then
please let us know ASAP as these opportunities for 2014 will likely be
taken by other companies over the next month or two.
Finally, the Volatility team would like to thank everyone who came out
to OMFW and to those of you who attended our OSDFC talk and showed
support for the project. Over the next couple weeks we will be sending
out slides and updates from OMFW, and please reach out to us if you
have questions for any of the speakers that you did not get to ask in
person.
Thanks,
Andrew (@attrc)
