We are very excited to announce that $999 in cash prizes was just added
to the 2016 plugin contest thanks to Airbnb!
The updated prize pools and full contest information can be found at the
following link:
http://volatility-labs.blogspot.com/2016/04/airbnb-donates-999-to-2016-vola…
--
Thanks,
Andrew (@attrc)
Gang,
I've googled it and saw some other discussion of the dreaded
ERROR : volatility.debug : Invalid profile <blah> selected
error. I'm trying to figure out what changed recently so that profiles
that used to work for me, no longer work. I just did a fresh Ubuntu
14.04.4 install and then installed volatility (and distorm3 via pip) from
github and I'm getting the error above. Note, this is the current release
version, though I also have the problem with the version from whatever
repo SIFT uses. The profile actually came from SecondLook and worked just
fine on a different Ubuntu system about 4 weeks ago, but today it fails
(on the system where it used to run), so I decided to try on this virgin
system and get the same error. I'm at a loss, since there are no other
debugging messages to help me out with what might be the problem. I can
provide the profile to anyone who needs it (and probably a memory image,
too, but that needs to be a little more tightly controlled) if that would
help.
--
Jim Clausing
GIAC GSE #26, CISSP
GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
Ok, can you run:
vol.py --info | grep Linux
and see if the profile name shows up like you have it as --profile?
Thanks,
Andrew (@attrc)
On 04/07/2016 02:26 PM, Jim Clausing wrote:
> -dd doesn't give me anything more than that error.
>
> jac@ubuntu:~$ vol.py -dd --plugins=profiles
> --profile=Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64
> -m XUbuntu\ 64-bit-Snapshot3.vmem linux_pslist
> Volatility Foundation Volatility Framework 2.5
> ERROR : volatility.debug : Invalid profile
> Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64
> selected
>
> --
> Jim Clausing
> GIAC GSE #26, CISSP
> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
>
> On or about Thu, 7 Apr 2016, Andrew Case pontificated thusly:
>
>> Hey,
>>
>> Can you run volatility with -dd set and send the output? If I can't
>> figure out it from there I will take the memory sample and profile. Feel
>> free to send debug output offline.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On 04/07/2016 12:27 PM, Jim Clausing wrote:
>>> Gang,
>>> I've googled it and saw some other discussion of the dreaded
>>>
>>> ERROR : volatility.debug : Invalid profile <blah> selected
>>>
>>> error. I'm trying to figure out what changed recently so that profiles
>>> that used to work for me, no longer work. I just did a fresh Ubuntu
>>> 14.04.4 install and then installed volatility (and distorm3 via pip)
>>> from github and I'm getting the error above. Note, this is the current
>>> release version, though I also have the problem with the version from
>>> whatever repo SIFT uses. The profile actually came from SecondLook and
>>> worked just fine on a different Ubuntu system about 4 weeks ago, but
>>> today it fails (on the system where it used to run), so I decided to try
>>> on this virgin system and get the same error. I'm at a loss, since
>>> there are no other debugging messages to help me out with what might be
>>> the problem. I can provide the profile to anyone who needs it (and
>>> probably a memory image, too, but that needs to be a little more tightly
>>> controlled) if that would help.
>>>
>>> --
>>> Jim Clausing
>>> GIAC GSE #26, CISSP
>>> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
>>
>
We are happy to announce that the 2016 Volatility Plugin Contest is now
live:
http://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-cont…
This contest is modeled after the annual IDA Pro one, and its purpose is
to encourage new research in the memory forensics field. Volatility is
one of the most popular tools in digital forensics, incident response,
and malware analysis, and by submitting to our contest your work will
immediately gain visibility through all of these communities.
Besides this recognition, we also award the top entries over $2,000 in
cash prizes, swag (stickers, t-shirts, etc.), and blog entries on our
Volatility Labs blog.
This contest is a great opportunity to explore the open source
Volatility Framework, add visibility to your career, and potentially
develop a master's thesis or PhD project.
--
Thanks,
Andrew (@attrc)
Sir,
I am doing my M.E in Cyber forensics and Information Security,
currently doing my project work on MAC RAM dump analysis. I am using
volafox-master for listing data from my dump collected from my lap. Can you
please help me how we can find the list of running process. Currently i've
found a symbol that volatility uses("_allproc") also ive found it from
symutils file.
But i don't know what to do with it.
Thanks
in advance, Razeem
Hello,
I am working on a homework assignment that involves IR on a Linux system.
We were only given some of the log files and a memory dump. None of the
profiles on Github work so I need to build a profile. Unfortunately, the
memory dump comes from a very old version of RedHat. It's RedHat 7.2
(Enigma) not RHEL7.
I found the Enigma ISOs, created a VM and downloaded the source, headers,
libdwarf, dwarfdump, etc, installed but when I run make from the
tools/linux folder, it doesn't create the module.ko file that dwarfdump
uses. I ran the make manually and it finishes without any errors but no
module.ko.
Any ideas what I might be doing wrong?
Thanks!
Carlos
Hi,
I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
hides module and hooks fop.
I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest Volatility
git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both memory dump
and analyse.
Many plugin works fine, but it can't be detected by below plugin (same on
Volatility 2.4).
* linux_hidden_modules - nothing is detected
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules
Volatility Foundation Volatility Framework 2.5
Offset (V) Name
------------------ ----
* linux_check_fops - outputs error (no verbose output on --debug option)
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
Volatility Foundation Volatility Framework 2.5
ERROR : volatility.debug : You must specify something to do (try -h)
I would really appreciate any advice.
Regards,
Dear vol-users,
I'm trying to get data from a volatile registry key using the regapi /
rawreg classes in volatility.
The key I'm looking for is under HKCU\Software\Classes\, and is called CLSID
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes\\CLSID"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
The requested key could not be found in the hive(s) searched
So I go up one level:
vol.py
--plugins='/Users/tomchop/Infosec/Forensics-RE/volatility-plugins/volatility-autoruns'
-f Windows\ 7\ x64-aa76b309.vmem --profile=Win7SP1x64 printkey -K
"Software\\Classes"
Volatility Foundation Volatility Framework 2.4
Legend: (S) = Stable (V) = Volatile
----------------------------
Registry: \??\C:\Users\admin\ntuser.dat
Key name: Classes (V)
Last updated: 2015-04-11 18:04:18 UTC+0000
Subkeys:
Values:
REG_LINK SymbolicLinkValue : (V) \Registry
\User\S-1-5-21-978483858-511166411-2750856381-1000_Classes
----------------------------
Registry: \SystemRoot\System32\Config\DEFAULT
Key name: Classes (S)
Last updated: 2009-07-14 04:48:57 UTC+0000
Subkeys:
(S) Local Settings
Values:
How can I query this key and keep on drilling its subkeys ?
Also, my plugin is making extensive use of rawreg because I try to get each
individual NTUSER.dat hive, and I don't know which hive_name to pass on to
regapi. Should I use the full hive name, as in
self.hive_name(obj.Object("_CMHIVE",
vm = addr_space, offset = hive_offset)), or is there a better way of doing
it?
Any help is greatly appreciated. Have a great day!
--
Thomas Chopitea
Hello,
I am not sure why I am having trouble running vol against a Win7 memory image:
I ran the imageinfo plugin against the image and it suggests: Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64:
But when I select Win7S1x64 profile for other plugins I get following error:
Any suggestions on what I am missing? Thanks in advance.
We are very excited to announce that the lineup for BSidesNOLA 2016 is out!
The day will start with a keynote presentation from Darren Van Booven.
He is currently the CISO of Idaho National Laboratory and was previously
the CISO of the US House of Representatives. It will then continue with
three tracks of talks ranging from
application security to memory forensics to malware analysis to law.
Full information on the conference can be found at the following page:
http://www.securitybsides.com/w/page/104051753/BSidesNOLA%202016
The cost to attend is $15, and you must register through the
EventBrite link (
https://www.eventbrite.com/e/bsides-nola-2016-tickets-20569894107 ).
Last year was our third year and we had 200 people attend. We are
expecting even more this year. For those of you who attended last
year, you know that beyond just great talks and networking, we also
provide very good food and drinks. The close proximity to the French
Quarter (5-10 minute walk) also means that after the conference there
will be plenty of fun and interesting things to do for the rest of the
night.
We hope to see you there and if you have any questions please reply to
this thread or email bsidesnola [@@] gmail.com.
--
Thanks,
Andrew (@attrc)
