Sir,
I am doing my M.E in Cyber forensics and Information Security,
currently doing my project work on MAC RAM dump analysis. I am using
volafox-master for listing data from my dump collected from my lap. Can you
please help me how we can find the list of running process. Currently i've
found a symbol that volatility uses("_allproc") also ive found it from
symutils file.
But i don't know what to do with it.
Thanks
in advance, Razeem
Hello,
I am working on a homework assignment that involves IR on a Linux system.
We were only given some of the log files and a memory dump. None of the
profiles on Github work so I need to build a profile. Unfortunately, the
memory dump comes from a very old version of RedHat. It's RedHat 7.2
(Enigma) not RHEL7.
I found the Enigma ISOs, created a VM and downloaded the source, headers,
libdwarf, dwarfdump, etc, installed but when I run make from the
tools/linux folder, it doesn't create the module.ko file that dwarfdump
uses. I ran the make manually and it finishes without any errors but no
module.ko.
Any ideas what I might be doing wrong?
Thanks!
Carlos
Hi,
I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
hides module and hooks fop.
I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest Volatility
git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both memory dump
and analyse.
Many plugin works fine, but it can't be detected by below plugin (same on
Volatility 2.4).
* linux_hidden_modules - nothing is detected
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules
Volatility Foundation Volatility Framework 2.5
Offset (V) Name
------------------ ----
* linux_check_fops - outputs error (no verbose output on --debug option)
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
Volatility Foundation Volatility Framework 2.5
ERROR : volatility.debug : You must specify something to do (try -h)
I would really appreciate any advice.
Regards,
Dear vol-users,
I'm trying to get data from a volatile registry key using the regapi /
rawreg classes in volatility.
The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
So I go up one level:
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) \Registry
\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000
Subkeys:
(S) Local Settings
Values:
How can I query this key and keep on drilling its subkeys ?
Also, my plugin is making extensive use of rawreg because I try to get each
individual NTUSER.dat hive, and I don't know which hive_name to pass on to
regapi. Should I use the full hive name, as in
self.hive_name(obj.Object("_CMHIVE",
vm = addr_space, offset = hive_offset)), or is there a better way of doing
it?
Any help is greatly appreciated. Have a great day!
--
Thomas Chopitea
Hello,
I am not sure why I am having trouble running vol against a Win7 memory image:
I ran the imageinfo plugin against the image and it suggests: Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64:
But when I select Win7S1x64 profile for other plugins I get following error:
Any suggestions on what I am missing? Thanks in advance.
