- Vol-users - volatilityfoundation.org

Reminder: OMFW 2014 Registration Closes Oct 24

by AAron Walters

vol-users, The registration for the Open Memory Forensics Workshop (OMFW) 2014 closes on Oct 24. If you are still planning to attend, I recommend sending a request as soon as possible. There are less than 10 open seats remaining! For those who have already requested an invitation, please let us know if you have not received your registration details. Reserve your seat by sending an email to info [at] volatilityfoundation.org or using the contact form on the Foundation's website. Thanks, The Volatility Foundation www.volatilityfoundation.org

10 years, 7 months

1
0
0 0

AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4

by Srinivasan J

Hi, I am trying to recover tmpfs from a RAM lime dump using volatility 2.4 in Linux/Windows, but I hit the "AttributeError: 'linux_mount' object has no attribute 'parse_mnt'". Is this a known issue? Thanks, Srini [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in <module> main() File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py", line 62, in execute commands.Command.execute(self, *args, **kwargs) File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 157, in render_text for (i, path) in data: File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 148, in calculate tmpfs_sbs = self.get_tmpfs_sbs() File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py", line 120, in get_tmpfs_sbs for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts): AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "<string>", line 192, in <module> File "<string>", line 183, in main File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c ommon", line 62, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 127, in execute File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 157, in render_text File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 148, in calculate File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t mpfs", line 120, in get_tmpfs_sbs AttributeError: 'linux_mount' object has no attribute 'parse_mnt' C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7 x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s tandalone> [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 --info | more Volatility Foundation Volatility Framework 2.4 Profiles -------- Linuxcentos7x64 - A Profile for Linux centos7 x64 VistaSP0x64 - A Profile for Windows Vista SP0 x64 VistaSP0x86 - A Profile for Windows Vista SP0 x86 VistaSP1x64 - A Profile for Windows Vista SP1 x64 VistaSP1x86 - A Profile for Windows Vista SP1 x86 VistaSP2x64 - A Profile for Windows Vista SP2 x64 VistaSP2x86 - A Profile for Windows Vista SP2 x86 [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo Volatility Foundation Volatility Framework 2.4 Processor Vendor Model ------------ ---------------- ----- 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount Volatility Foundation Volatility Framework 2.4 hugetlbfs /dev/hugepages hugetlbfs rw,relatime devtmpfs /dev devtmpfs rw,nosuid tmpfs /dev/shm tmpfs rw,nosuid,nodev devpts /dev/pts devpts rw,relatime,nosuid,noexec cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec proc /proc proc rw,relatime,nosuid,nodev,noexec /dev/mapper/centos-root / xfs rw,relatime tmpfs /run tmpfs rw,nosuid,nodev sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime mqueue /dev/mqueue mqueue rw,relatime debugfs /sys/kernel/debug debugfs rw,relatime selinuxfs /sys/fs/selinux selinuxfs rw,relatime securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec sunrpc /proc/fs/nfsd nfsd rw,relatime tmpfs /mnt/ramdisk tmpfs rw,relatime cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec configfs /sys/kernel/config configfs rw,relatime cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec /dev/sda1 /boot xfs rw,relatime cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec [srini@localhost volatility-2.4]$ python /home/srini/vola/setup/volatility-2.4/vol.py --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash Volatility Foundation Volatility Framework 2.4 Pid Name Command Time Command -------- -------------------- ------------------------------ ------- 15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh 15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/ 15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/ 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 ls 15151 bash 2014-10-12 01:35:58 UTC+0000 make 15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig 15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10

10 years, 7 months

2
2
0 0

New Memory Forensics & Malware Analysis trainings scheduled!

by Andrew Case

We are excited to announce that we now have public trainings scheduled through May of next year. Between now and then we will be visiting Austin (Dec.), San Francisco (Jan.), Brazil (Feb.), Reston, VA (April), and New York (May). A complete listing of course offerings and details can be found at: http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n and: http://volatility-labs.blogspot.com/2014/10/windows-malware-and-memory-fore… Classes fill quickly so please contact us ASAP if you would like to attend! We offer discounts for LEO, government, and full time students as well as group rates for companies. -- Thanks, Andrew (@attrc)

10 years, 7 months

1
0
0 0

Android Analysis

by felipecboeira .

Hi all, I have acquired an android RAM image by using Lime and now I am using volatility to analyze it. I have created a profile and can now list processes, etc. What I need to do is inspect an integer array of a kernel module, which I have the address. I tried using volshell's dd() but I believe it is not showing the correct values. How can I certify that the virtual address is being calculated correctly by volatility? Thanks in advance, Felipe

10 years, 7 months

2
1
0 0

Error in mac_netstat & mac_arp

by Andre DiMino

I have a .vmem file from a Mac OS virtual machine. I'm using profile "MacMountainLion_10_8_2_AMDx64" Using Volatility 2.4, I'm able to run a few mac commands against this image, however I get traceback errors in the 'netstat' and 'arp' commands. I paste below: +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_ifconfig Volatility Foundation Volatility Framework 2.4 Interface Address ---------- ------- lo0 fe80:1::1 lo0 127.0.0.1 lo0 ::1 gif0 stf0 en0 00:0c:29:ea:9a:27 en0 fe80:4::20c:29ff:feea:9a27 en0 172.16.253.140 +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_version Volatility Foundation Volatility Framework 2.4 Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64 +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_netstat Volatility Foundation Volatility Framework 2.4 Proto Local IP Local Port Remote IP Remote Port State Process ------ -------------------- ---------- -------------------- ----------- -------------------- ------------------------ UNIX - UNIX /var/tmp/launchd/sock UNIX - UNIX /var/run/com.apple.ActivityMonitor.socket UNIX /var/run/mDNSResponder UNIX /var/rpc/ncacn_np/lsarpc UNIX /var/rpc/ncalrpc/lsarpc UNIX /var/rpc/ncacn_np/mdssvc UNIX /var/rpc/ncalrpc/NETLOGON UNIX /var/rpc/ncacn_np/srvsvc UNIX /var/rpc/ncalrpc/srvsvc UNIX /var/rpc/ncacn_np/wkssvc UNIX /var/rpc/ncalrpc/wkssvc Traceback (most recent call last): File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module> main() File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in execute commands.Command.execute(self, *args, **kwargs) File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/netstat.py", line 58, in render_text self.table_row(outfd, proto, lip, lport, rip, rport, state, "{}/{}".format(proc.p_comm, proc.p_pid)) ValueError: zero length field name in format +++++++++++++++++++++++++++++++++++++++++ forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_arp Volatility Foundation Volatility Framework 2.4 Source IP Dest. IP Name Sent Recv Time Exp. Delta ------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- ----- Traceback (most recent call last): File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module> main() File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main command.execute() File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in execute commands.Command.execute(self, *args, **kwargs) File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in execute func(outfd, data) File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/route.py", line 104, in render_text rt.name, File "/home/forensics/programs/volatility-2.4/volatility/obj.py", line 537, in __getattr__ return getattr(result, attr) File "/home/forensics/programs/volatility-2.4/volatility/plugins/overlays/mac/mac.py", line 562, in name return "{}{}".format(self.rt_ifp.if_name.dereference(), self.rt_ifp.if_unit) ValueError: zero length field name in format ++++++++++++++++++++++++++++++ Any thoughts or ideas are very appreciated! -- Andre' M. DiMino DeepEnd Research http://deependresearch.org http://sempersecurus.org "Make sure that nobody pays back wrong for wrong, but always try to be kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

10 years, 8 months

2
2
0 0

Error with 2.4 Debian Wheezy

by Sean McLinden

I just build a VM with Debian (I needed to install other packages) and when I run this on a memory image I get the following (after about 10 minutes). The pslist.txt file is partially populated though how far it gets differs with each run. The box is Windows 7 Enterprise SP 1. The image was acquired using FTK. The box is believed to be infected with malware. user@host:/mnt/hgfs/288A-LV-2810395/Workspace/QJK1/memory# vol.py pslist > pslist.txt Volatility Foundation Volatility Framework 2.4 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 192, in <module> main() File "/usr/local/bin/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute func(outfd, data) File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/taskmods.py", line 178, in render_text str(task.ExitTime or ''), File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 219, in table_row outfd.write(self.tablesep.join(reslist) + "\n") IOError: [Errno 22] Invalid argument Thanks for any help. Sean McLinden

10 years, 8 months

2
2
0 0

conflicting argument

by A Musavi

Hi, I think there is still conflicting problem in vol 2.4: optparse.OptionConflictError: option -F/--filter: conflicting option string(s): -F

10 years, 8 months

2
1
0 0

failing to map address space for a dump/snapshot file created by libvirt command

by 谢志宇

Hi, everybody, I'm a new comer to volatility framework. At the same time, I am getting to work with libvirt library. I created a dump file named 'vm1_snapshot' by using libvirt command like 'virsh save domain'. In the domain ran the WinXPSP3x86. However, when I used 'python vol.py -f ~/vm1_snapshot --profile=WinXPSP3x86 pslist', the result showed as 'No suitable address space mapping found‍'. How could this happen? Is there anything wrong with the way the snapshot file was created? I hope some guy can do me a favor. ‍

10 years, 8 months

1
0
0 0

zeusscan2

by Bill Moylan

Testing zeusscan against a known zeus vmem sample, I am getting a segmentation fault. Other vol commands run and return results properly, and zeuscan appears to have compiled OK. No errors output except for the segmentation fault. Host OS is CentOS Linux 2.6, Volatility is 2.4. Zeus.vmem is WinXPSP2x86 Any ideas on troubleshooting? Bill

10 years, 8 months

2
1
0 0

OMFW 2014 Update & Dr. Brendan Dolan-Gavitt

by AAron Walters

vol-users, We are excited to announce that over half the seats for the Open Memory Forensics Workshop (OMFW) 2014 have already been reserved. It’s also great to see a large number of first time attendees from across government, academic, and commercial institutions. This is your one chance a year to hear about the latest research in memory forensics from the people who are pioneering the field. If you are still planning to attend, we suggest you register as soon as possible to make sure you have a seat. We are also excited to announce that Dr. Brendan Dolan Gavitt (moyix) will be speaking at the workshop. As many of you know, Brendan has been a member of the Volatility family since the very beginning and recently earned his PhD from the Georgia Institute of Technology. If you have followed Brendan’s work throughout the years and his new research with PANDA, I’m sure you will not be disappointed. In the upcoming weeks, we will continue finalizing and announcing the exciting roster of speakers. http://volatility.tumblr.com/post/97219909222/omfw-2014-update-dr-brendan-d… AW

10 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users