I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
--
chort
This is the 2nd of 3 videos that we showed at Black Hat Arsenal this year:
http://volatility-labs.blogspot.com.au/2014/08/volatility-24-at-blackhat-ar…
This video takes you through using Volatility to automatically find,
extract, and analyze a rootkit with both kernel and userland components.
--
Thanks,
Andrew (@attrc)
We (the Volatility team) recently released Volatility 2.4 at Black Hat
Arsenal in Vegas. To drive the demonstrations, MHL made 3 videos showing
off interesting features of the framework. The first of these, Tracking
Mac OS X User Activity, is now publicly available:
http://volatility-labs.blogspot.com/2014/08/volatility-24-at-blackhat-arsen…
We will be releasing the rest over the next several weeks. Please send
us any feedback you may have on the videos, and we hope you enjoy the
new features of 2.4!
--
Thanks,
Andrew (@attrc)
The "imagecopy" plugin in Volatility 2.4 does not decompress hiberfil.sys
files from Windows 8 machines, at least in the tests that I have tried. In
most cases, I'm getting identical files out, which means that the
hiberfil.sys wasn't translated into a native physical address space, which
suggests it's not supported? I have also tried using the Moonsols Windows
Memory Toolkit which claims to support Windows 8, but that software seems
to fail as well.
Has anybody had any luck with uncompressing a Windows 8 hiberfil.sys file?
Is there any other tool I can use to accomplish this?
TIA
The 2.4 edition of our popular Volatility cheat sheet is released! It
features an updated Windows page, all new Linux and Mac OS X pages, and
an extremely handy RTFM-style insert for Windows memory forensics.
http://volatility-labs.blogspot.com/2014/08/new-volatility-24-cheet-sheet-w…
Please let us know if you have any questions with the new plugins, and
we hope that you are putting 2.4 to good use ;)
--
Thanks,
Andrew (@attrc)
vol-users,
Registration has officially opened for the 6th Annual Open Memory
Forensics Workshop (OMFW) 2014. This half-day workshop will be held prior
to the 2014 Open Source Digital Forensics Conference (OSDFC) in Herndon,
VA, USA, on November 4, 2014.
"OMFW is the only digital forensics workshop focused on providing a venue
for the most advanced digital investigators. It is intended for those
people who realize that the only real defense against a creative technical
human adversary is a creative technical human analyst. No shady vendors
trying to describe how they re-implemented open source tools or boisterous
trainers attempting to discuss topics they only superficially understand.
This is your opportunity to learn directly from an international cadre of
pioneering researchers and practitioners who have been shaping the field
of memory analysis since its inception. Through a series of invited talks
you will have the opportunity to engage this exciting community."
We are still accepting presentations from people who are performing
innovative memory analysis research or from people who have interesting
case studies where memory forensics provided a critical component of the
investigation. If you are interested in participating, please contact us.
Submissions are due no later than October 1, 2014.
This year's workshop will also present the results of The 2nd Annual
Volatility Framework Plugin Contest! If you are interested in presenting
at the conference, submitting a contest entry is another option. Selected
contestants may be asked to present their work at the workshop and have it
featured on the Volatility Labs Blog. All contest submissions are due by
September 1, 2014.
To learn more about the workshop, read testimonials of previous attendees,
and find out what makes OMFW so unique, please visit the workshop website:
http://www.volatilityfoundation.org/#!2014/cwat
Details about the location will be provided upon registration.
Pre-registration is required and space is LIMITED, so register early.
Please note that it will NOT be possible to register at the door.
Registration closes on October 24, 2014.
Reserve your seat by contacting: info [at] volatilityfoundation [dot] org.
Thanks,
AAron Walters
The Volatility Foundation
The Volatility Team is happy to announce that Volatility 2.4 is now
publicly released.
Volatility 2.4 adds support for Windows 8, 8.1, 2012, and 2012 R2 memory
dumps, Mac OS X Mavericks (up to 10.9.4), and Linux kernels up to 3.16.
It also contains a large number of new plugins and features. Full
information can be found here:
http://volatility-labs.blogspot.com/2014/08/presenting-volatility-foundatio…
Please let me know if you have any issues or questions with the release.
--
Thanks,
Andrew (@attrc)
Hi all
I am wanting to perform memory introspection in my xen setup. I have been
using libvmi with volatility to analysis memory dumps of a domU. I have
done and tested it in Dom0 and it works.
I now want to create a similar setup in a pv domU but i am unable to get
libVMI working,.
Since i can use xl dump-core <domid> <filename> in my pv to extract any hvm
dump. I am using xsm and i have added all the necessary rules for memory
extraction.
This is the command i use to analysis the dump extracted using xl dump-core
note: i created the Linuxkbeastx86 profile to the kernel i have
infecting kbeast and this profile worked in dom0 when i used libVMI dump
memory but in the pv it does not, also tested xl dump with volatility in
dom0 and it did not work.
So can volatility process xl dump ?
below is the example out put i get
python /root/Volatility/vol.py -f /root/kbeastDump --profile=Linuxkbeastx86
linux_check_modules
Volatility Foundation Volatility Framework 2.3.1
Module Name
-----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
PyVmiAddressSpace: Location doesn't start with vmi://
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF error: did not find any PT_NOTE segment with
VBCORE
VMWareSnapshotFile: Invalid VMware signature: 0x464c457f
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linuxkbeastx86 selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
PyVmiAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
if anyone could give me some advice on this
Thank you
I am writing to help spread the word of the first annual Malware Memory
Forensics (MMF) workshop that will be held along side ACSAC later this
year in New Orleans:
http://www.acsac.org/2014/workshops/issues/
I am on the review committee and the conference is being organized by
academics with deep experience related to malware and memory forensics
(e.g. General Co-Chair Golden Richard was who we chose as tech editor
for The Art of Memory Forensics).
If you are working with Volatility and performing your research inside
the framework then this is the perfect venue for a formal/academic
publication of your research . If you are a student, it would be an
ideal fit for Masters or PHD projects, and if you are in industry then
this conference works well as a bridge between industry and academia.
Any questions can be sent to myself or to Golden (CC'ed).
--
Thanks,
Andrew (@attrc)
