- Vol-users - volatilityfoundation.org

Having issues with linux profile -- please help

by Josh Horowitz

Dear Vol-users: First and foremost thanks to the creators of volatility for this amazing tool. I've been struggling to create a proper linux profile to analyze a memory dump from an Ubuntu 12.04.3 LTS machine created with fmem. The dump was split into several files which I combined using cat. I don't have access to the physical machine just some snapshot info, and have been trying to gather all the information I need in order to create the proper profile as follows: I grepped through /var/log/kern.log to find the kernel version that was running and got this: Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50) Also grep through kern.log for CPU and get: CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know to utilize 64-bit architecture. So to create the profile, I've installed a virtual machine running Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic. I have a different processor core on the virtual machine Im using to build the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?) I followed the instructions to a T on generating modules.dwarf using the included volatility toolset, copying the Systems.map file, zipping them together, etc. Run the required python vol.py --info | grep Linux Volatility Foundation Volatility Framework 2.4 Linux3_2_0-52-genericX_64x64 - A Profile for Linux 3.2.0-52-genericX_64 x64 Linux4cpuprofilex64 - A Profile for Linux 4cpuprofile x64 LinuxUbuntu12_04_3x86 - A Profile for Linux Ubuntu12_04_3 x86 LinuxUbuntu_12_04_3_X64x64 - A Profile for Linux Ubuntu_12_04_3_X64 x64 Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux kernel-3.2.0-52-generic x86 and all seems well. (The LinuxUbuntu_12_04_3_X64x64 is for kernel 3.2.0-53-generic) Now when I run the following with -dd flag for debug I get the following (Sorry for length of debug msg) python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd linux_pslist Volatility Foundation Volatility Framework 2.4 DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols DEBUG : volatility.obj : Applying modification from BashHashTypes DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF32Modification DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from ELFModification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification DEBUG : volatility.obj : Applying modification from MachoModification DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols DEBUG : volatility.obj : Applying modification from BashHashTypes DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF32Modification DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from ELFModification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification DEBUG : volatility.obj : Applying modification from MachoModification DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay Offset Name Pid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- ------ ------------------ ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fe1d90> DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xffffffff DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys at 0xfffff8104eff0L DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff070L DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff040L DEBUG1 : volatility.obj : None object instantiated: No suggestions available DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid VMWareMetaAddressSpace: VMware metadata file is not available WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0xffffffff QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check The error must have something to do with the way that I'm generating the profile (at least I think something is off) but I can't for the life of me figure out what the problem is. I truly appreciate any light that a vol expert out there may able to shed on what I need to do differently. Thanks very much.

10 years, 9 months

2
5
0 0

zeusscan

by Bridgey theGeek

(I definitely have the reply I sent hours ago in my 'Sent Items', but maybe the Internet ate it. Anyway...) Just to add to what MHL said, I notice your error concerns fileparam.py which is odd. It should be present: /path/to/volatility$ find -type f -name fileparam.py ./volatility/plugins/fileparam.py In case MHL's suggestion doesn't fix it, can you find the fileparam.py file? Where did you get your copy of 2.4 from? Might be worth grabbing it again from github. Bridgey

10 years, 9 months

1
0
0 0

zeusscan

by dnardoni

Is zeusscan depreciated in version 2.4? Volatility Foundation Volatility Framework 2.4 ERROR : volatility.plugins.fileparam: The requested file doesn't exist

10 years, 9 months

4
3
0 0

Facebook Doubles Volatility Contest Prizes

by AAron Walters

As mentioned earlier this week, we have extended the deadline for the 2014 Volatility Plugin Contest until October 1st because an organization wanted to augment the prizes. We are excited to share that due to an extremely generous donation from Facebook, the total cash prizes have been doubled from $2250 USD to $4500 USD! If you have already submitted to the contest, you can use this extra time to fine tune your submission or submit another entry to improve your chances. If you were considering submitting, you now have an extra month to demonstrate your creativity, become a memory analysis pioneer, win the admiration of your peers, and give back to the community! It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! Thank you, Facebook, and good luck to all participants in the contest - the stakes have literally just doubled! AAron Walters The Volatility Foundation

10 years, 9 months

1
0
0 0

2014 Volatility Plugin Contest Deadline Extended

by AAron Walters

Despite the fact we have already surpassed the number of submissions to last year’s contest, we are excited to announce that we have extended the deadline for the 2014 Volatility Plugin Contest until October 1st, 2014. We received a number of inquiries from people who recently learned about the competition when they purchased “The Art of Memory Forensics” and an exciting new competition sponsor (more details next week) that wanted to further augment our prizes. If you have already submitted to the contest, you can use this extra time to fine-tune your submission. If you were considering submitting, you now have an extra month to demonstrate your creativity and implement an innovative, interesting, and useful Volatility extension! It’s great to see some of the largest companies in the world showing their support for and giving back to the memory forensics community! AW The Volatility Foundation

10 years, 9 months

1
0
0 0

New Volatility Video: Automatic Detection and Extraction of Rootkits

by Andrew Case

This is the 2nd of 3 videos that we showed at Black Hat Arsenal this year: http://volatility-labs.blogspot.com.au/2014/08/volatility-24-at-blackhat-ar… This video takes you through using Volatility to automatically find, extract, and analyze a rootkit with both kernel and userland components. -- Thanks, Andrew (@attrc)

10 years, 9 months

1
0
0 0

New Volatility video: Tracking Mac OS X User Activity

by Andrew Case

We (the Volatility team) recently released Volatility 2.4 at Black Hat Arsenal in Vegas. To drive the demonstrations, MHL made 3 videos showing off interesting features of the framework. The first of these, Tracking Mac OS X User Activity, is now publicly available: http://volatility-labs.blogspot.com/2014/08/volatility-24-at-blackhat-arsen… We will be releasing the rest over the next several weeks. Please send us any feedback you may have on the videos, and we hope you enjoy the new features of 2.4! -- Thanks, Andrew (@attrc)

10 years, 9 months

1
0
0 0

Decompressing Windows 8 hiberfil.sys files

by J U

The "imagecopy" plugin in Volatility 2.4 does not decompress hiberfil.sys files from Windows 8 machines, at least in the tests that I have tried. In most cases, I'm getting identical files out, which means that the hiberfil.sys wasn't translated into a native physical address space, which suggests it's not supported? I have also tried using the Moonsols Windows Memory Toolkit which claims to support Windows 8, but that software seems to fail as well. Has anybody had any luck with uncompressing a Windows 8 hiberfil.sys file? Is there any other tool I can use to accomplish this? TIA

10 years, 9 months

2
1
0 0

Official Volatility 2.4 Cheat Sheet released!

by Andrew Case

The 2.4 edition of our popular Volatility cheat sheet is released! It features an updated Windows page, all new Linux and Mac OS X pages, and an extremely handy RTFM-style insert for Windows memory forensics. http://volatility-labs.blogspot.com/2014/08/new-volatility-24-cheet-sheet-w… Please let us know if you have any questions with the new plugins, and we hope that you are putting 2.4 to good use ;) -- Thanks, Andrew (@attrc)

10 years, 9 months

1
0
0 0

Open Memory Forensics Workshop 2014

by AAron Walters

vol-users, Registration has officially opened for the 6th Annual Open Memory Forensics Workshop (OMFW) 2014. This half-day workshop will be held prior to the 2014 Open Source Digital Forensics Conference (OSDFC) in Herndon, VA, USA, on November 4, 2014. "OMFW is the only digital forensics workshop focused on providing a venue for the most advanced digital investigators. It is intended for those people who realize that the only real defense against a creative technical human adversary is a creative technical human analyst. No shady vendors trying to describe how they re-implemented open source tools or boisterous trainers attempting to discuss topics they only superficially understand. This is your opportunity to learn directly from an international cadre of pioneering researchers and practitioners who have been shaping the field of memory analysis since its inception. Through a series of invited talks you will have the opportunity to engage this exciting community." We are still accepting presentations from people who are performing innovative memory analysis research or from people who have interesting case studies where memory forensics provided a critical component of the investigation. If you are interested in participating, please contact us. Submissions are due no later than October 1, 2014. This year's workshop will also present the results of The 2nd Annual Volatility Framework Plugin Contest! If you are interested in presenting at the conference, submitting a contest entry is another option. Selected contestants may be asked to present their work at the workshop and have it featured on the Volatility Labs Blog. All contest submissions are due by September 1, 2014. To learn more about the workshop, read testimonials of previous attendees, and find out what makes OMFW so unique, please visit the workshop website: http://www.volatilityfoundation.org/#!2014/cwat Details about the location will be provided upon registration. Pre-registration is required and space is LIMITED, so register early. Please note that it will NOT be possible to register at the door. Registration closes on October 24, 2014. Reserve your seat by contacting: info [at] volatilityfoundation [dot] org. Thanks, AAron Walters The Volatility Foundation

10 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users