Hello list,
I’m trying to use Volatility on an OSX memory dump. I was unable to download mac memory reader as the site is offline. I’ve used osxpmem from recall.
The commands I used to perform the dump were:
sudo kextutil MacPmem.kext
sudo ./osxpmem --format elf -o ./ram.dump
I then moved ram.dump into my volatility directory
To check my downloaded profile is included I’ve run the command
./volatility_2.5_mac --plugins=./mac —imageinfo
and then I ran
./volatility_2.5_mac --plugins=./mac --profile=MacElCapitan_10_11_4_15E65x64 -f ../ram.dump mac_pslist
and got
Volatility Foundation Volatility Framework 2.5
Offset Name Pid Uid Gid PGID Bits DTB Start Time
------------------ -------------------- -------- -------- -------- -------- ------------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x4034b50
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Apparently my OSXPmemElf signature is invalid. What can I do to dump memory with a valid signature? Or does my problem lie elsewhere?
Regards,
Rob
Dear list,
Is it possible to extend the built in profiles for the standalone mac version of volatility with extra ones?
I’ve downloaded the linux and mac profiles from github and tried putting them in a subdirectory as with the source code version on Linux i.e. volatility_2.5.mac.standalone/volatility/plugins/overlays/mac
However they don’t show up in the profile list when I run volatility_2.5.mac.standalone —info
Regards,
Rob
Hi,
thanks to your suggestion, I make great progresses but I still not get
the target: localize the master password of an android app.
I run the app and set a password as "mypassword2016". With yarascan I
was able to see that this password is store in memory in unicode (I run
"python vol.py linux_yarascan -W -A -Y "mypassword2016"").
Then, I would like to see if there some "signature" that helps me to
locate the password. So I decide to use volshell and see around the
passwod, but I have no luck (see the attachment, where I showed that
there is before and after of the two occurrences of the password
"mypassword2016").
Of course I've repeated the same workflow for other two passwords, but I
did not get anything that helps me to figure out if there is way to
locate where the password is store.
Do you have any suggestion, please?
Thanks in advance,
Massimo
Hi Laurent,
Not necessarily. You're assuming that everything once in memory stays in
memory...which isn't the case. If you have an IP and you pass it to
ws2_32.connect() and then free or overwrite the memory containing the
IP...the connection stays up and running just fine. It could also be
swapped to the page file.
MHL
On 5/17/16 5:14 AM, Laurent LF wrote:
> Thanks Michael,
>
> What I don't understand is that yarascan on the "IP to integer" value on
> the full mem dump gives a result in the svchost process only and not
> anywhere else. I should have at least two occurences, one in the svchost
> process and one other in the System process, right ?
>
> Thanks,
>
> Laurent
>
>
> On 2016-05-12 23:18, Michael Ligh wrote:
>> I can't speak to whether its "normal" but its not surprising. The System
>> process is the default home for threads that start in kernel mode. Thus
>> any kernel driver using the winsock APIs for networking will make it
>> appear as if the System process is responsible. Now combine that with a
>> DLL that's implementing a particular service (and running inside
>> svchost.exe process) who wants to communicate with its corresponding
>> driver...it could send an IOCTL and say "go connect to this x.x.x.x IP
>> address." In that case you could easily end up with a reference to the
>> IP in svchost.exe.
>>
>> MHL
>>
>> On 5/10/16 2:34 PM, Laurent LF wrote:
>>> Hi,
>>>
>>> I have progressed a bit on this.
>>> I was first limiting my IP addresses searches on the process returned by
>>> "netscan", which was "System" with pid=4. As I was convinced I should
>>> have got some results within "System", I supposed I was wrong with the
>>> syntax or the IP representation and made several other tries (IP as
>>> string, little indian ordering as suggested by Andrew,...), still with
>>> pid=4. I also made a few tries on the whole memory dump but with no
>>> luck. It looks like I was doing something wrong because today I made
>>> some tries again on full memory dump and finally found the IPs (Big
>>> Indian ordering) in ... a "svchost" process.
>>>
>>> I still need to go deeper in the analysis (as far as my little knowledge
>>> will allow me to go :-) ) but is it normal behavior to have netscan
>>> reporting some connections linked with "System" when IP search with
>>> yarascan on given IPs returns only a "svchost" process ?
>>> Also, I was expecting to find references to the IPs in several memory
>>> locations but only one occurence in this case, in the given svchost
>>> process...
>>>
>>> Thanks,
>>> Laurent
>>>
>>>
>>> Le 10/05/2016 17:14, Michael Ligh a écrit :
>>>> Also note yarascan only accesses available pages. The IP could be in a
>>>> page that's swapped to the pagefile or in a page that's been
>>>> freed/deallocated and is no longer referenced from any page
>>>> table(s). In
>>>> the later case, you could find it by extracting strings from the memory
>>>> dump or by scanning with yara signatures across the memory dump file
>>>> (i.e. not caring about virtual address spaces)...however if you find it
>>>> in either of two methods, there's no way to trace the page back to its
>>>> owner.
>>>>
>>>> MHL
>>>>
>>>> On 5/10/16 7:56 AM, Andrew Case wrote:
>>>>> Hey,
>>>>>
>>>>> Did you try the IP hex value in reverse? It is likely that the IP
>>>>> address is stored as little endian in memory.
>>>>>
>>>>> Thanks,
>>>>> Andrew (@attrc)
>>>>>
>>>>> On 05/10/2016 05:15 AM, tech(a)nisteo.fr wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I am starting to play with Volatility (2.5) and I am currently
>>>>>> working
>>>>>> on a Win2008R2 image (memory dump with winpmem). I would like to
>>>>>> understand what is causing some network connections initiated by the
>>>>>> "System" process.
>>>>>> netscan shows those connections and I would like to be able to find
>>>>>> references to the IP addresses in the memory dump. I have tried
>>>>>> "yarascan -Y" plugin with the IP string, with the IP to integer value
>>>>>> (converted to Hex) but no luck finding IPs that , however, I can
>>>>>> see in
>>>>>> the netscan result...
>>>>>> Either I am wrong with the yarascan syntax or there is something I
>>>>>> don't
>>>>>> know regarding how Win2008 stores IP...
>>>>>>
>>>>>> Any hints ?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Laurent
>>>>>> _______________________________________________
>>>>>> Vol-users mailing list
>>>>>> Vol-users(a)volatilityfoundation.org
>>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>>
>>>>> _______________________________________________
>>>>> Vol-users mailing list
>>>>> Vol-users(a)volatilityfoundation.org
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>
>>>
>
>
Hi all,
Wondering if anybody's come across this scenario...
I want to read an address from my_offset:
my_address = obj.Object('address', offset=my_offset, vm=task_vm)
However, for Wow64 the address should only be 4 bytes, but because we're
analysing with a 64-bit profile, 'address' will cause 8 bytes to be parsed
(right?).
Do I need to replace it with something like:
if profile_is_32bit or process_is_wow64:
my_address = obj.Object('unsigned long', offset=my_offset, vm=task_vm)
else:
my_address = obj.Object('unsigned long long', offset=my_offset,
vm=task_vm)
Or do I need to start manually unpacking structs?
Thanks,
Adam
The Call for Presentations for the Open Source Digital Forensics Conference (OSDFCon) ends on June 1 and we’ve just decided to have one presentation this year from someone who cannot physically attend the event. If you have a talk that you want to give about a tool you’ve developed or used, but don’t have the budget to travel to Virginia, then you can still submit. This is a test to see if we can open the event to more people.
All we need for the submission is an abstract about your software, use cases, or experiences. Feel free to submit topics that were submitted in past years, but not chosen from the crowd sourcing.
http://www.osdfcon.org/osdfcon-2016/2016-call-for-presentations/
We’re also looking for more hands-on workshops. A lot of attendees last year requested more hands on sessions, so if you can give a 3-hour workshop the day before, it would be a great way to get awareness for your software.
thanks,
brian
Hello dear volatility community,
I am a ISE master student at Ben Gurion University in Israel.
And I need you help.
My research deals with extracting many features from a windows memory dump
taken from vSphere snapshots. (Mostly Windows 2012 R2).
In order to extract as many features as possible I am using volatility
framework which helps me to receive the most basic features I need.
I want to leverage volatility framework even more so I can extract more
valuable features.
Here is the list of features I want to try to extract from the memory:
- Achieving the stack of all processes. or any thing that can be deduced by
it, for example call sequence or function's parameters etc.
- Gathering information about reading or writing actions that were
happening while the snapshot was taken or before.
- Find / detect usages of cryptography keys in the memory, especially
asymmetric keys.
- Find / detect changes in the registry.
I hope this post is not too abstract, and that maybe you can help me start.
I want to first know if what I am trying to do is even possible? Is
volatility the right tool?
If it is, where should I begin?
Appreciate your help!
Thanks,
Yuval
That's great! Thank you so much :)
On 24 May 2016 at 16:06, wyatt roersma <wyattroersma(a)gmail.com> wrote:
> Yes I do. Here is the link the the exe and user guide.
> https://drive.google.com/folderview?id=0Bz3L4ZnVlUY8TFdBcUljeTc4VFk
> On May 24, 2016 7:13 AM, "Michael Ligh" <michael.ligh(a)mnin.org> wrote:
>
>> Wyatt - do you still have a copy of vm2dmp around?
>>
>> MHL
>>
>> On 5/24/16 5:55 AM, Bridgey theGeek wrote:
>> > Hi all,
>> >
>> > I've been given a .vsv and a .bin from a Server 2008R2 box.
>> > vm2dmp supposedly supported converting this into a raw image, but it
>> > seems to have disappeared off the face of the planet.
>> >
>> > Does anybody have:
>> >
>> > a) A copy of vm2dmp that they're allowed to share.
>> > and/or
>> > b) Recommendations for an alternative tool.
>> >
>> > Thanks!
>> > Adam
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>>
Hi all,
I've been given a .vsv and a .bin from a Server 2008R2 box.
vm2dmp supposedly supported converting this into a raw image, but it seems
to have disappeared off the face of the planet.
Does anybody have:
a) A copy of vm2dmp that they're allowed to share.
and/or
b) Recommendations for an alternative tool.
Thanks!
Adam
