- Vol-users - volatilityfoundation.org

AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4

by Srinivasan J

Hi, I am trying to recover tmpfs from a RAM lime dump using volatility 2.4 in Linux/Windows, but I hit the "AttributeError: 'linux_mount' object has no attribute 'parse_mnt'". Is this a known issue? Thanks, Srini [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in <module> main() File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py", line 62, in execute commands.Command.execute(self, *args, **kwargs) File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 157, in render_text for (i, path) in data: File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 148, in calculate tmpfs_sbs = self.get_tmpfs_sbs() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 120, in get_tmpfs_sbs for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts): AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "<string>", line 192, in <module> File "<string>", line 183, in main File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c ommon", line 62, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 127, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 157, in render_text File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 148, in calculate File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 120, in get_tmpfs_sbs AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 --info | more Volatility Foundation Volatility Framework 2.4 Profiles -------- Linuxcentos7x64 - A Profile for Linux centos7 x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount Volatility Foundation Volatility Framework 2.4 hugetlbfs /dev/hugepages hugetlbfs rw,relatime devtmpfs /dev devtmpfs rw,nosuid tmpfs /dev/shm tmpfs rw,nosuid,nodev devpts /dev/pts devpts rw,relatime,nosuid,noexec cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec proc /proc proc rw,relatime,nosuid,nodev,noexec /dev/mapper/centos-root / xfs rw,relatime tmpfs /run tmpfs rw,nosuid,nodev sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime mqueue /dev/mqueue mqueue rw,relatime debugfs /sys/kernel/debug debugfs rw,relatime selinuxfs /sys/fs/selinux selinuxfs rw,relatime securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec sunrpc /proc/fs/nfsd nfsd rw,relatime tmpfs /mnt/ramdisk tmpfs rw,relatime cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec configfs /sys/kernel/config configfs rw,relatime cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec /dev/sda1 /boot xfs rw,relatime cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash Volatility Foundation Volatility Framework 2.4 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh 15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/ 15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 make 15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig 15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10

10 years, 1 month

2
2
0 0

New Memory Forensics & Malware Analysis trainings scheduled!

by Andrew Case

We are excited to announce that we now have public trainings scheduled through May of next year. Between now and then we will be visiting Austin (Dec.), San Francisco (Jan.), Brazil (Feb.), Reston, VA (April), and New York (May). A complete listing of course offerings and details can be found at: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n and: http://volatility-labs.blogspot.com/2014/10/windows-malware-and-memory-fore… Classes fill quickly so please contact us ASAP if you would like to attend! We offer discounts for LEO, government, and full time students as well as group rates for companies. -- Thanks, Andrew (@attrc)

10 years, 1 month

1
0
0 0

Android Analysis

by felipecboeira .

Hi all, I have acquired an android RAM image by using Lime and now I am using volatility to analyze it. I have created a profile and can now list processes, etc. What I need to do is inspect an integer array of a kernel module, which I have the address. I tried using volshell's dd() but I believe it is not showing the correct values. How can I certify that the virtual address is being calculated correctly by volatility? Thanks in advance, Felipe

10 years, 1 month

2
1
0 0

Error in mac_netstat & mac_arp

by Andre DiMino

I have a .vmem file from a Mac OS virtual machine. I'm using profile "MacMountainLion_10_8_2_AMDx64" Using Volatility 2.4, I'm able to run a few mac commands against this image, however I get traceback errors in the 'netstat' and 'arp' commands. I paste below: +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_ifconfig Volatility Foundation Volatility Framework 2.4 Interface Address ---------- ------- lo0 fe80:1::1 lo0 127.0.0.1 lo0 ::1 gif0 stf0 en0 00:0c:29:ea:9a:27 en0 fe80:4::20c:29ff:feea:9a27 en0 172.16.253.140 +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_version Volatility Foundation Volatility Framework 2.4 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_netstat Volatility Foundation Volatility Framework 2.4 Proto Local IP Local Port Remote IP Remote Port State Process ------ -------------------- ---------- -------------------- ----------- -------------------- ------------------------ UNIX - UNIX /var/tmp/launchd/sock UNIX - UNIX /var/run/com.apple.ActivityMonitor.socket UNIX /var/run/mDNSResponder UNIX /var/rpc/ncacn_np/lsarpc UNIX /var/rpc/ncalrpc/lsarpc UNIX /var/rpc/ncacn_np/mdssvc UNIX /var/rpc/ncalrpc/NETLOGON UNIX /var/rpc/ncacn_np/srvsvc UNIX /var/rpc/ncalrpc/srvsvc UNIX /var/rpc/ncacn_np/wkssvc UNIX /var/rpc/ncalrpc/wkssvc Traceback (most recent call last): File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module> main() File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in execute commands.Command.execute(self, *args, **kwargs) File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/netstat.py", line 58, in render_text self.table_row(outfd, proto, lip, lport, rip, rport, state, "{}/{}".format(proc.p_comm, proc.p_pid)) ValueError: zero length field name in format +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_arp Volatility Foundation Volatility Framework 2.4 Source IP Dest. IP Name Sent Recv Time Exp. Delta ------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- ----- Traceback (most recent call last): File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module> main() File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in execute commands.Command.execute(self, *args, **kwargs) File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/route.py", line 104, in render_text rt.name, File "/home/forensics/programs/volatility-2.4/volatility/obj.py", line 537, in __getattr__ return getattr(result, attr) File "/home/forensics/programs/volatility-2.4/volatility/plugins/overlays/mac/mac.py", line 562, in name return "{}{}".format(self.rt_ifp.if_name.dereference(), self.rt_ifp.if_unit) ValueError: zero length field name in format ++++++++++++++++++++++++++++++ Any thoughts or ideas are very appreciated! -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

10 years, 1 month

2
2
0 0

Error with 2.4 Debian Wheezy

by Sean McLinden

I just build a VM with Debian (I needed to install other packages) and when I run this on a memory image I get the following (after about 10 minutes). The pslist.txt file is partially populated though how far it gets differs with each run. The box is Windows 7 Enterprise SP 1. The image was acquired using FTK. The box is believed to be infected with malware. user@host:/mnt/hgfs/288A-LV-2810395/Workspace/QJK1/memory# vol.py pslist > pslist.txt Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 192, in <module> main() File "/usr/local/bin/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute func(outfd, data) File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/taskmods.py", line 178, in render_text str(task.ExitTime or ''), File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 219, in table_row outfd.write(self.tablesep.join(reslist) + "\n") IOError: [Errno 22] Invalid argument Thanks for any help. Sean McLinden

10 years, 1 month

2
2
0 0

conflicting argument

by A Musavi

Hi, I think there is still conflicting problem in vol 2.4: optparse.OptionConflictError: option -F/--filter: conflicting option string(s): -F

10 years, 1 month

2
1
0 0

failing to map address space for a dump/snapshot file created by libvirt command

by 谢志宇

Hi, everybody, I'm a new comer to volatility framework. At the same time, I am getting to work with libvirt library. I created a dump file named 'vm1_snapshot' by using libvirt command like 'virsh save domain'. In the domain ran the WinXPSP3x86. However, when I used 'python vol.py -f ~/vm1_snapshot --profile=WinXPSP3x86 pslist', the result showed as 'No suitable address space mapping found‍'. How could this happen? Is there anything wrong with the way the snapshot file was created? I hope some guy can do me a favor. ‍

10 years, 1 month

1
0
0 0

zeusscan2

by Bill Moylan

Testing zeusscan against a known zeus vmem sample, I am getting a segmentation fault. Other vol commands run and return results properly, and zeuscan appears to have compiled OK. No errors output except for the segmentation fault. Host OS is CentOS Linux 2.6, Volatility is 2.4. Zeus.vmem is WinXPSP2x86 Any ideas on troubleshooting? Bill

10 years, 2 months

2
1
0 0

OMFW 2014 Update & Dr. Brendan Dolan-Gavitt

by AAron Walters

vol-users, We are excited to announce that over half the seats for the Open Memory Forensics Workshop (OMFW) 2014 have already been reserved. It’s also great to see a large number of first time attendees from across government, academic, and commercial institutions. This is your one chance a year to hear about the latest research in memory forensics from the people who are pioneering the field. If you are still planning to attend, we suggest you register as soon as possible to make sure you have a seat. We are also excited to announce that Dr. Brendan Dolan Gavitt (moyix) will be speaking at the workshop. As many of you know, Brendan has been a member of the Volatility family since the very beginning and recently earned his PhD from the Georgia Institute of Technology. If you have followed Brendan’s work throughout the years and his new research with PANDA, I’m sure you will not be disappointed. In the upcoming weeks, we will continue finalizing and announcing the exciting roster of speakers. http://volatility.tumblr.com/post/97219909222/omfw-2014-update-dr-brendan-d… AW

10 years, 2 months

1
0
0 0

Having issues with linux profile -- please help

by Josh Horowitz

Dear Vol-users: First and foremost thanks to the creators of volatility for this amazing tool. I've been struggling to create a proper linux profile to analyze a memory dump from an Ubuntu 12.04.3 LTS machine created with fmem. The dump was split into several files which I combined using cat. I don't have access to the physical machine just some snapshot info, and have been trying to gather all the information I need in order to create the proper profile as follows: I grepped through /var/log/kern.log to find the kernel version that was running and got this: Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50) Also grep through kern.log for CPU and get: CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know to utilize 64-bit architecture. So to create the profile, I've installed a virtual machine running Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic. I have a different processor core on the virtual machine Im using to build the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?) I followed the instructions to a T on generating modules.dwarf using the included volatility toolset, copying the Systems.map file, zipping them together, etc. Run the required python vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.4 Linux3_2_0-52-genericX_64x64 - A Profile for Linux 3.2.0-52-genericX_64 x64 Linux4cpuprofilex64 - A Profile for Linux 4cpuprofile x64 LinuxUbuntu12_04_3x86 - A Profile for Linux Ubuntu12_04_3 x86 LinuxUbuntu_12_04_3_X64x64 - A Profile for Linux Ubuntu_12_04_3_X64 x64 Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux kernel-3.2.0-52-generic x86 and all seems well. (The LinuxUbuntu_12_04_3_X64x64 is for kernel 3.2.0-53-generic) Now when I run the following with -dd flag for debug I get the following (Sorry for length of debug msg) python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd linux_pslist Volatility Foundation Volatility Framework 2.4 DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols DEBUG : volatility.obj : Applying modification from BashHashTypes DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF32Modification DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from ELFModification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification DEBUG : volatility.obj : Applying modification from MachoModification DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols DEBUG : volatility.obj : Applying modification from BashHashTypes DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF32Modification DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from ELFModification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification DEBUG : volatility.obj : Applying modification from MachoModification DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- ------ ------------------ ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fe1d90> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xffffffff DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys at 0xfffff8104eff0L DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff070L DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff040L DEBUG1 : volatility.obj : None object instantiated: No suggestions available DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid VMWareMetaAddressSpace: VMware metadata file is not available WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0xffffffff QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check The error must have something to do with the way that I'm generating the profile (at least I think something is off) but I can't for the life of me figure out what the problem is. I truly appreciate any light that a vol expert out there may able to shed on what I need to do differently. Thanks very much.

10 years, 2 months

2
5
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users