I am attempting to recover the Truecrypt Master Keys from a Win7SP1x64
memory image and getting the below errors.
Using the Volatility 2.5 Windows stand-alone:
C:\>vol2.5.exe -f Truecrypt_MountedContainer.bin --profile Win7SP1x64
truecryptmaster -T 7.1a
Volatility Foundation Volatility Framework 2.5
Container:
Hidden Volume: No
Removable: No
Read Only: No
Disk Length: 0 (bytes)
Host Length: 0 (bytes)
Encryption Algorithm: -
Mode: -
Master Key
Traceback (most recent call last):
File "<string>", line 192, in <module>
File "<string>", line 183, in main
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.commands", line 145, in execute
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.plugins.tcaudit", line 666, in render_text
File
"C:\Users\Jake\Documents\GitHub\volatility\build\pyinstaller\out00-PYZ.py
z\volatility.utils", line 71, in Hexdump
TypeError: object of type 'NoneType' has no len()
Hey guys,
I'm back from the other side ! I started refreshing my tools to add Windows
8, 8.1 and 10 support.
I'm looking for Beta Testers for Hibr2Bin: Here is the link:
http://www.comae.io/
Thanks!
Hi all,
I'm trying to access the data that's exposed by the messagehooks plugin,
specifically:
volatility.plugins.gui.messagehooks.MessageHooks().calculate()
I want to be able to work with the window_stations and atom_tables that are
yielded by the method.
I tried making a new instance of the class and manually calling:
mh = messagehooks.MessageHooks(atoms.Atoms, sessions.SessionsMixin)
for x in mh.calculate():
print x
However when run, I get an attribute error:
File "plugin.py", line 81, in calculate()
for x in mh.calculate():
File ".../messagehooks.py", line 68, in calculate
in atoms.Atoms(self._config).calculate())
File ".../messagehooks.py", line 6, in <genexpr>
atom_tables = dict((atom_table, winsta)
File ".../atoms.py", line 153, in calculate
for wndsta in windowstations.WndScan(self._config).calculate():
File ".../common.py", line 45, in __init__
config.add_option("VIRTUAL", short_option = "V", default = False,
AttributeError: type object 'Atoms' has no attribute 'add_option'
Is there a better/correct way of getting at the data normally yielded by a
plugin's calculate method?
Thank you,
Adam
On 04.05.2016 17:46, Torres, Geoff (Cyber Security) wrote:
> When you say " Running lqs2mem on the original suspend to disk image does not work", do you mean that you're getting an error? Or that it's creating an image that doesn't work in volatility?
>
> I've ran lqs2mem literally on hundreds of QEMU images with no problems.
>
> Can you post the output of your run?
>
> If I recall correctly, Juerg had to pad a certain section of memory in order to get the structures to line up. It's possible that later versions of QEMU/KVM changed so that padding isn't necessary any more.
Running lqs2mem on the original image returns "Invalid section type: 7"
- Thomas
Hello,
I am using volatility in order to do live introspection in a linux virtual machine (i m using libvmi and pyvmiaddresspace.py to access the vms memory).
The problem that I am facing is that once i run a command for example linux_pslist I get a segmentation fault(core dumped) error with no further information about it.
Some general information about the system:
I have recompiled libvmi in order to work with the kvm-qemu patch and I have tried the process-list example for linux that is featured with libvmi and it works fine.
I have also tried to manualy execute
pyvmi.init("instance-name","partial") which is what pyvmiaddresspace.py is doing and this also works (along with all the pyvmi related commands like get_memsize(), get_vcpureg()).
>From what I understand the problem should lie somewhere in volatility. Before the recompilation of libvmi everything was working fine (without the kvm patch).
Any help would be greatly appreciated.
Thanks
Anna
Hello All,
We are excited to announce that we now have public trainings scheduled
in NYC, Amsterdam, and Reston, VA! This is your chance to learn memory
forensics and malware analysis directly from the Volatility developers.
These three locations sell out quickly so please contact us ASAP if you
wish to attend:
http://volatility-labs.blogspot.com/2016/04/windows-malware-and-memory-fore…
--
Thanks,
Andrew (@attrc)
Hi,
I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64).
I checked the github repository already and did a google search to no avail.
Does anyone have one already created?
Or can anyone help me figure out how to get around these compilation errors?
include/linux/thread_info.h:24:4: error unknown type name 'u32'
u32 __user *uaddr;
^
There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set.
I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past.
Thanks,
Geoff
BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.
It’s time to start getting ready for the 7th Annual OSDFCon by submitting your presentation idea, writing an Autopsy module, and saving the date on your calendar. OSDFCon is the 1-day event to attend each year to learn about the latest open source digital forensics and incident response tools with over 400 of your colleagues.
THE ESSENTIALS
Conference Date: October 26, 2016
Location: Herndon, VA
CALL FOR PAPERS
Each year, OSDFCon gives developers and users a platform to talk about the open source software they love. We want to hear your presentation and hands-on workshop ideas. Submissions are due by June 1.
Past presentations have covered new software, new features in mature software, modules for plug-in frameworks, and use cases that integrate several pieces of software. A detailed list of topics and submission details can be found here:
http://www.osdfcon.org/osdfcon-2016/2016-call-for-presentations/
AUTOPSY MODULE COMPETITION
For the third year, Basis Technology is organizing an Autopsy module writing competition. The modules can be written in Python or Java and we have tutorials to help you get started. Learning to write Autopsy modules will make you more effecient because Autopsy takes care of providing access to files, user interface, and reporting. All you have to do is focus on some cool analytics.
The winners will be chosen by the OSDFCon attendees and the top three will get cash prizes. If we get 12 or more submissions (the number that the Volatility project got last year), Basis Technology will double the prize amounts. Submissions are due by October 17 (6 months away!). Links to tutorials and submission details can be found here:
http://www.osdfcon.org/osdfcon-2016/2016-module-development-contest/
ABOUT OSDFCON
OSDFCon is the premier event focused exclusively on open source digital forensics tools, OSDFCon offers short talks over the course of a single day. These talks are packed with information and present a unique opportunity to learn about new (often free) tools and provide feedback directly to developers. Basis Technology is the organizing sponsor of the event and it is free for government employees to attend.
To answer my own question...
My profile build system is Debian based. Even though I've successfully created Fedora and CentOS profiles on it, I needed to move to a Fedora system which had the proper definition files in its compiler environment. That got rid of all the 'u32' errors. But because the compiler was gcc 5.1, I needed to create a compiler-gcc5.h file in the include/Linux folder of the kernel files. I just linked to the gcc4 file and everything compiled fine.
All the Linux Volatility commands appear to be working as expected.
Geoff
From: Torres, Geoff (Cyber Security)
Sent: Thursday, April 07, 2016 11:37 AM
To: 'vol-users(a)volatilityfoundation.org' <vol-users(a)volatilityfoundation.org>
Subject: Need a Redhat 7.1 profile
Hi,
I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64).
I checked the github repository already and did a google search to no avail.
Does anyone have one already created?
Or can anyone help me figure out how to get around these compilation errors?
include/linux/thread_info.h:24:4: error unknown type name 'u32'
u32 __user *uaddr;
^
There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set.
I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past.
Thanks,
Geoff
BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.
We are very excited to announce that $999 in cash prizes was just added
to the 2016 plugin contest thanks to Airbnb!
The updated prize pools and full contest information can be found at the
following link:
http://volatility-labs.blogspot.com/2016/04/airbnb-donates-999-to-2016-vola…
--
Thanks,
Andrew (@attrc)
