April 2016 - Vol-users - volatilityfoundation.org

by Massimo Canonico

Hi all, I'm new on volatility so sorry if this question does not fit the purpose of this mailing list. I was starting play with LiME (Linux Memory Extract)[1] and I was able to dump a memory image of an Android Emulator where ChatSecure[2] was running. ChatSecure asked a master password at the first run and this password is stored by using a library called CacheWord [3]. Here the question: in order to find out if ChatSecure stores this password in memory, how should I use volatility? A doc/tutorial link or any suggestion are more than welcome. Thanks, Massimo [1] https://github.com/504ensicsLabs/LiME [2] https://github.com/guardianproject/ChatSecureAndroid [3] https://github.com/guardianproject/cacheword

8 years, 6 months

3
4
0 0

segmentation fault

by Anna Giannakou

Hello, I am using volatility in order to do live introspection in a linux virtual machine (i m using libvmi and pyvmiaddresspace.py to access the vms memory). The problem that I am facing is that once i run a command for example linux_pslist I get a segmentation fault(core dumped) error with no further information about it. Some general information about the system: I have recompiled libvmi in order to work with the kvm-qemu patch and I have tried the process-list example for linux that is featured with libvmi and it works fine. I have also tried to manualy execute pyvmi.init("instance-name","partial") which is what pyvmiaddresspace.py is doing and this also works (along with all the pyvmi related commands like get_memsize(), get_vcpureg()). >From what I understand the problem should lie somewhere in volatility. Before the recompilation of libvmi everything was working fine (without the kvm patch). Any help would be greatly appreciated. Thanks Anna

8 years, 6 months

1
0
0 0

Memory Forensics Training coming to NYC, Amsterdam, and Reston

by Andrew Case

Hello All, We are excited to announce that we now have public trainings scheduled in NYC, Amsterdam, and Reston, VA! This is your chance to learn memory forensics and malware analysis directly from the Volatility developers. These three locations sell out quickly so please contact us ASAP if you wish to attend: http://volatility-labs.blogspot.com/2016/04/windows-malware-and-memory-fore… -- Thanks, Andrew (@attrc)

8 years, 6 months

1
0
0 0

Need a Redhat 7.1 profile

by Torres, Geoff (Cyber Security)

Hi, I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64). I checked the github repository already and did a google search to no avail. Does anyone have one already created? Or can anyone help me figure out how to get around these compilation errors? include/linux/thread_info.h:24:4: error unknown type name 'u32' u32 __user *uaddr; ^ There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set. I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past. Thanks, Geoff BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.

8 years, 6 months

2
2
0 0

OSDFCon CFP and Autopsy Module Competition

by Brian Carrier

It’s time to start getting ready for the 7th Annual OSDFCon by submitting your presentation idea, writing an Autopsy module, and saving the date on your calendar. OSDFCon is the 1-day event to attend each year to learn about the latest open source digital forensics and incident response tools with over 400 of your colleagues. THE ESSENTIALS Conference Date: October 26, 2016 Location: Herndon, VA CALL FOR PAPERS Each year, OSDFCon gives developers and users a platform to talk about the open source software they love. We want to hear your presentation and hands-on workshop ideas. Submissions are due by June 1. Past presentations have covered new software, new features in mature software, modules for plug-in frameworks, and use cases that integrate several pieces of software. A detailed list of topics and submission details can be found here: http://www.osdfcon.org/osdfcon-2016/2016-call-for-presentations/ AUTOPSY MODULE COMPETITION For the third year, Basis Technology is organizing an Autopsy module writing competition. The modules can be written in Python or Java and we have tutorials to help you get started. Learning to write Autopsy modules will make you more effecient because Autopsy takes care of providing access to files, user interface, and reporting. All you have to do is focus on some cool analytics. The winners will be chosen by the OSDFCon attendees and the top three will get cash prizes. If we get 12 or more submissions (the number that the Volatility project got last year), Basis Technology will double the prize amounts. Submissions are due by October 17 (6 months away!). Links to tutorials and submission details can be found here: http://www.osdfcon.org/osdfcon-2016/2016-module-development-contest/ ABOUT OSDFCON OSDFCon is the premier event focused exclusively on open source digital forensics tools, OSDFCon offers short talks over the course of a single day. These talks are packed with information and present a unique opportunity to learn about new (often free) tools and provide feedback directly to developers. Basis Technology is the organizing sponsor of the event and it is free for government employees to attend.

8 years, 7 months

1
0
0 0

RE: Need a Redhat 7.1 profile

by Torres, Geoff (Cyber Security)

To answer my own question... My profile build system is Debian based. Even though I've successfully created Fedora and CentOS profiles on it, I needed to move to a Fedora system which had the proper definition files in its compiler environment. That got rid of all the 'u32' errors. But because the compiler was gcc 5.1, I needed to create a compiler-gcc5.h file in the include/Linux folder of the kernel files. I just linked to the gcc4 file and everything compiled fine. All the Linux Volatility commands appear to be working as expected. Geoff From: Torres, Geoff (Cyber Security) Sent: Thursday, April 07, 2016 11:37 AM To: 'vol-users(a)volatilityfoundation.org' <vol-users(a)volatilityfoundation.org> Subject: Need a Redhat 7.1 profile Hi, I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64). I checked the github repository already and did a google search to no avail. Does anyone have one already created? Or can anyone help me figure out how to get around these compilation errors? include/linux/thread_info.h:24:4: error unknown type name 'u32' u32 __user *uaddr; ^ There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set. I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past. Thanks, Geoff BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.

8 years, 7 months

1
0
0 0

Airbnb just donated $999 to the plugin contest!

by Andrew Case

We are very excited to announce that $999 in cash prizes was just added to the 2016 plugin contest thanks to Airbnb! The updated prize pools and full contest information can be found at the following link: http://volatility-labs.blogspot.com/2016/04/airbnb-donates-999-to-2016-vola… -- Thanks, Andrew (@attrc)

8 years, 7 months

1
0
0 0

Something changed recently and now my Linux profiles don't work

by Jim Clausing

Gang, I've googled it and saw some other discussion of the dreaded ERROR : volatility.debug : Invalid profile <blah> selected error. I'm trying to figure out what changed recently so that profiles that used to work for me, no longer work. I just did a fresh Ubuntu 14.04.4 install and then installed volatility (and distorm3 via pip) from github and I'm getting the error above. Note, this is the current release version, though I also have the problem with the version from whatever repo SIFT uses. The profile actually came from SecondLook and worked just fine on a different Ubuntu system about 4 weeks ago, but today it fails (on the system where it used to run), so I decided to try on this virgin system and get the same error. I'm at a loss, since there are no other debugging messages to help me out with what might be the problem. I can provide the profile to anyone who needs it (and probably a memory image, too, but that needs to be a little more tightly controlled) if that would help. -- Jim Clausing GIAC GSE #26, CISSP GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D

8 years, 7 months

2
6
0 0

Re: [Vol-users] Something changed recently and now my Linux profiles don't work

by Andrew Case

Ok, can you run: vol.py --info | grep Linux and see if the profile name shows up like you have it as --profile? Thanks, Andrew (@attrc) On 04/07/2016 02:26 PM, Jim Clausing wrote: > -dd doesn't give me anything more than that error. > > jac@ubuntu:~$ vol.py -dd --plugins=profiles > --profile=Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64 > -m XUbuntu\ 64-bit-Snapshot3.vmem linux_pslist > Volatility Foundation Volatility Framework 2.5 > ERROR : volatility.debug : Invalid profile > Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64 > selected > > -- > Jim Clausing > GIAC GSE #26, CISSP > GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D > > On or about Thu, 7 Apr 2016, Andrew Case pontificated thusly: > >> Hey, >> >> Can you run volatility with -dd set and send the output? If I can't >> figure out it from there I will take the memory sample and profile. Feel >> free to send debug output offline. >> >> Thanks, >> Andrew (@attrc) >> >> On 04/07/2016 12:27 PM, Jim Clausing wrote: >>> Gang, >>> I've googled it and saw some other discussion of the dreaded >>> >>> ERROR : volatility.debug : Invalid profile <blah> selected >>> >>> error. I'm trying to figure out what changed recently so that profiles >>> that used to work for me, no longer work. I just did a fresh Ubuntu >>> 14.04.4 install and then installed volatility (and distorm3 via pip) >>> from github and I'm getting the error above. Note, this is the current >>> release version, though I also have the problem with the version from >>> whatever repo SIFT uses. The profile actually came from SecondLook and >>> worked just fine on a different Ubuntu system about 4 weeks ago, but >>> today it fails (on the system where it used to run), so I decided to try >>> on this virgin system and get the same error. I'm at a loss, since >>> there are no other debugging messages to help me out with what might be >>> the problem. I can provide the profile to anyone who needs it (and >>> probably a memory image, too, but that needs to be a little more tightly >>> controlled) if that would help. >>> >>> -- >>> Jim Clausing >>> GIAC GSE #26, CISSP >>> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> >> >> >

8 years, 7 months

1
0
0 0

The 2016 Volatility Plugin Contest is now live!

by Andrew Case

We are happy to announce that the 2016 Volatility Plugin Contest is now live: http://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-cont… This contest is modeled after the annual IDA Pro one, and its purpose is to encourage new research in the memory forensics field. Volatility is one of the most popular tools in digital forensics, incident response, and malware analysis, and by submitting to our contest your work will immediately gain visibility through all of these communities. Besides this recognition, we also award the top entries over $2,000 in cash prizes, swag (stickers, t-shirts, etc.), and blog entries on our Volatility Labs blog. This contest is a great opportunity to explore the open source Volatility Framework, add visibility to your career, and potentially develop a master's thesis or PhD project. -- Thanks, Andrew (@attrc)

8 years, 7 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users April 2016