Hi all,
I'm new on volatility so sorry if this question does not fit the purpose
of this mailing list.
I was starting play with LiME (Linux Memory Extract)[1] and I was able
to dump a memory image of an Android Emulator where ChatSecure[2] was
running.
ChatSecure asked a master password at the first run and this password is
stored by using a library called CacheWord [3].
Here the question: in order to find out if ChatSecure stores this
password in memory, how should I use volatility?
A doc/tutorial link or any suggestion are more than welcome.
Thanks,
Massimo
[1] https://github.com/504ensicsLabs/LiME
[2] https://github.com/guardianproject/ChatSecureAndroid
[3] https://github.com/guardianproject/cacheword
1. I have a directory with a memory dump called memdum.bin
2. I run volatility image info against it and I get
Air:ticket_number jamesk$ vol.py -f memdump.bin imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 (Instantiated with Win2003SP0x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/jamesk/Desktop/jackcr-challenge/DC-USTXHOU/ticket_number/memdump.bin)
PAE type : No PAE
DTB : 0x39000L
KDBG : 0x805583d0L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2012-11-27 02:01:57 UTC+0000
Image local date and time : 2012-11-26 20:01:57 -0600
3. I can run vol.py --profile=Win2003SP0x86 -f memdump.bin pslist and get process list just fine…but...
In that same directory as the memdump.bin file I have a .volatilityrc file which contains
[DEFAULT]
PROFILE=Win2003SP2x86
LOCATION=file://memdump.bin <file:///memdump.bin>
When I run vol.py pslist I get:
No suitable address space mapping found
Is my syntax incorrect somewhere?
Jk
Hello,
I was wondering if there was any plugin right now equivalent to
'imageinfo' but for Linux or Mac ? I was planning on give it a try if
not, but didn't want to waste time if anybody had done it before.
Thank you,
--
Stanislas 'P1kachu' Lejay
EPITA - LSE
If you're sleeping, you're doing it wrong.
I am attempting to recover the Truecrypt Master Keys from a Win7SP1x64
memory image and getting the below errors.
Using the Volatility 2.5 Windows stand-alone:
C:\>vol2.5.exe -f Truecrypt_MountedContainer.bin --profile Win7SP1x64
truecryptmaster -T 7.1a
Volatility Foundation Volatility Framework 2.5
Container:
Hidden Volume: No
Removable: No
Read Only: No
Disk Length: 0 (bytes)
Host Length: 0 (bytes)
Encryption Algorithm: -
Mode: -
Master Key
Traceback (most recent call last):
File "<string>", line 192, in <module>
File "<string>", line 183, in main
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.commands", line 145, in execute
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.plugins.tcaudit", line 666, in render_text
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.utils", line 71, in Hexdump
TypeError: object of type 'NoneType' has no len()
Hey guys,
I'm back from the other side ! I started refreshing my tools to add Windows
8, 8.1 and 10 support.
I'm looking for Beta Testers for Hibr2Bin: Here is the link:
http://www.comae.io/
Thanks!
Hi all,
I'm trying to access the data that's exposed by the messagehooks plugin,
specifically:
volatility.plugins.gui.messagehooks.MessageHooks().calculate()
I want to be able to work with the window_stations and atom_tables that are
yielded by the method.
I tried making a new instance of the class and manually calling:
mh = messagehooks.MessageHooks(atoms.Atoms, sessions.SessionsMixin)
for x in mh.calculate():
print x
However when run, I get an attribute error:
File "plugin.py", line 81, in calculate()
for x in mh.calculate():
File ".../messagehooks.py", line 68, in calculate
in atoms.Atoms(self._config).calculate())
File ".../messagehooks.py", line 6, in <genexpr>
atom_tables = dict((atom_table, winsta)
File ".../atoms.py", line 153, in calculate
for wndsta in windowstations.WndScan(self._config).calculate():
File ".../common.py", line 45, in __init__
config.add_option("VIRTUAL", short_option = "V", default = False,
AttributeError: type object 'Atoms' has no attribute 'add_option'
Is there a better/correct way of getting at the data normally yielded by a
plugin's calculate method?
Thank you,
Adam
On 04.05.2016 17:46, Torres, Geoff (Cyber Security) wrote:
> When you say " Running lqs2mem on the original suspend to disk image does not work", do you mean that you're getting an error? Or that it's creating an image that doesn't work in volatility?
>
> I've ran lqs2mem literally on hundreds of QEMU images with no problems.
>
> Can you post the output of your run?
>
> If I recall correctly, Juerg had to pad a certain section of memory in order to get the structures to line up. It's possible that later versions of QEMU/KVM changed so that padding isn't necessary any more.
Running lqs2mem on the original image returns "Invalid section type: 7"
- Thomas
Hello,
I am using volatility in order to do live introspection in a linux virtual machine (i m using libvmi and pyvmiaddresspace.py to access the vms memory).
The problem that I am facing is that once i run a command for example linux_pslist I get a segmentation fault(core dumped) error with no further information about it.
Some general information about the system:
I have recompiled libvmi in order to work with the kvm-qemu patch and I have tried the process-list example for linux that is featured with libvmi and it works fine.
I have also tried to manualy execute
pyvmi.init("instance-name","partial") which is what pyvmiaddresspace.py is doing and this also works (along with all the pyvmi related commands like get_memsize(), get_vcpureg()).
>From what I understand the problem should lie somewhere in volatility. Before the recompilation of libvmi everything was working fine (without the kvm patch).
Any help would be greatly appreciated.
Thanks
Anna
Hello All,
We are excited to announce that we now have public trainings scheduled
in NYC, Amsterdam, and Reston, VA! This is your chance to learn memory
forensics and malware analysis directly from the Volatility developers.
These three locations sell out quickly so please contact us ASAP if you
wish to attend:
http://volatility-labs.blogspot.com/2016/04/windows-malware-and-memory-fore…
--
Thanks,
Andrew (@attrc)
Hi,
I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64).
I checked the github repository already and did a google search to no avail.
Does anyone have one already created?
Or can anyone help me figure out how to get around these compilation errors?
include/linux/thread_info.h:24:4: error unknown type name 'u32'
u32 __user *uaddr;
^
There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set.
I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past.
Thanks,
Geoff
BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.
