Hey Gang
I'm a total noob with eForensics so I'm on the learning curve. I can get volitility to work on Windows memory images but not with Mac memory images. I've downloaded the Mac profiles, unzipped it and moves the files to the location indicated in the article, but when I run the info command the profiles aren't listed. Is there another step in the enable process?
TIA
Marty
Sent from my iPad
Type at the prompt:
sudo make clean
and try again
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Try:
sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
First: --plugins takes in either a directory or a zipfile, not a plugin
Second: You didn't specify which plugin to run (ethscan)
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 10:41:47
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Sorry I had a typo i didn´t write --profile=Win7SP1x64
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
I have the same error of ever :(
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
Thanks!!
El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
> Hi @Jamie and list
>
> Thanks very much for your support ;)
>
> I’ve same errors when i’m executing: :(
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>
> The error:
>
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
>
> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>
> On the other hand, i found a brief tutorial about ethscan:
>
> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>
> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>
> The execution of the vol.py command is different……. :(
>
> He does not the flag —-plugin=
>
> Thanks for all!!
>
> Ps: My apologies for my level of english
>
>
> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>
>> Hi David,
>>
>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>
>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>
>> Let me know if you have any other questions.
>>
>> All the best,
>>
>> -gleeda
>>
>>
>>
>>
>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>> Hello list,
>>
>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>
>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>
>> The plugin that I want for add/use is:
>>
>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>
>> Thanks for your support!!
>>
>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
Hello All,
I'm new to Volatility.
Say I found the string "password=hello world" somewhere in the memory, is
there anyway for me to know which process that memory block is currently
allocated to?
--
matt
Hello list,
Please, I need some help about for add/use new plugins in volatility 2.3.1.
Can I use the flag "--plugins=contrib/plugins"? o is there any method?
The plugin that I want for add/use is:
https://code.google.com/p/jamaal-re-tools/source/checkout
Thanks for your support!!
Hi,
I am using winpmem 1.3.1 for imaging in volatility but whenever I tried to use any of feature of winpmem it gives
error: "Cannot open SCM? Are you administrator"
Where as I don't have any administrative passwords... So how can I solve this issue...???
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
As we previously sent to the list, the Volatility team will be holding
training sessions in San Diego in January and London in June:
http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi…
We have now also finalized plans for a training in NYC in May:
http://volatility-labs.blogspot.com/2013/10/2014-malware-and-memory-forensi…
These will be the only public trainings through August of next year,
and we have already received substantial interest in each one. If you
plan to attend do not wait until the last minute to contact us as for
our last several trainings we have had to turn away people once the
classroom fills. If your company is interested in a private training
or hosting a public training in exchange for a few free seats then
please let us know ASAP as these opportunities for 2014 will likely be
taken by other companies over the next month or two.
Finally, the Volatility team would like to thank everyone who came out
to OMFW and to those of you who attended our OSDFC talk and showed
support for the project. Over the next couple weeks we will be sending
out slides and updates from OMFW, and please reach out to us if you
have questions for any of the speakers that you did not get to ask in
person.
Thanks,
Andrew (@attrc)
Hi,
currently I'm preparing a Volatility Workshop ... and writing the docs I did
run several plugins. My test case contains a Win7SP1x64 image.
Everything is fine, except the contrib/malware plugins (poisonivy, zeus) did
complain about:
This command does not support the profile Win7SP1x64
No I get this error message also for timeliner!? But timeliner did work
correctly past weekend, using the _same_ Win7SPx64 image!
Using a different image containing WinXP timeliner does work correctly.
I'm using Revision 3532.
What did happen with timeliner?
Regards,
Thomas
https://code.google.com/p/volatility/
The Volatility Foundation is thrilled to announce the official release
of Volatility 2.3! While the main goal of this release was Mac OS X (x86,
x64) and Android Arm support, we also included a number of other exciting
new capabilities! Highlights of this release include:
Mac OS X:
* New MachO address space for 32-bit and 64-bit Mac memory samples
* Over 30+ plugins for Mac memory forensics
Linux/Android:
* New ARM address space to support memory dumps from Linux and Android
devices on ARM hardware
* Plugins to scan Linux process and kernel memory with yara
signatures, dump LKMs to disk, and check TTY devices for rootkit hooks
* Plugins to check the ARM system call and exception vector tables for
hooks
Windows:
* New plugins:
- Parse IE history/index.dat URLs
- Recover shellbags data
- Dump cached files (exe/pdf/doc/etc)
- Extract the MBR and MFT records
- Explore recently unloaded kernel modules
- Dump SSL private and public keys/certs
- Display details on process privileges
- Detect poison ivy infections
- Find and decrypt configurations in memory for poison ivy, zeus v1, zeus v2 and citadelscan 1.3.4.5
* Plugin Enhancements:
- Apihooks detects duqu style instruction modifications
- Crashinfo displays uptime, systemtime, and dump type
- Psxview plugin adds two new sources of process listings from the GUI APIs
- Screenshots plugin shows text for window titles
- Svcscan automatically queries the cached registry for service dlls
- Dlllist shows load count to distinguish between static and dynamic loaded dlls
New Address Spaces:
* VirtualBox ELF64 core dumps
* VMware saved state (vmss)
* VMware snapshot (vmsn) files
* FDPro's non-standard HPAK format
* New plugins: vboxinfo, vmwareinfo, hpakinfo, hpakextract
We also wanted to take this opportunity to recognize those on the
development team who's continued dedication to open source forensics and
the Volatility community has made this release possible: Mike Auty, Andrew
Case, Michael Hale Ligh, Jamie Levy, and AAron Walters. These people
volunteer their time and skills to bring you the most advanced and
innovative memory forensics framework in the world! If you appreciate the
hard work they put into Volatility, I encourage you help defend the rights
of open source developers and support developer endorsed events! Finally,
shoutz to the Volatility Community for their continued support and
feedback! In particular, the following members of the Volatility community
made significant contributions to this release:
- Cem Gurkok for his work on the privileges plugin for Windows
- Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project)
- @osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
- @osxreverser of reverse.put.as for his help with OSX memory analysis
- Carl Pulley for numerous bug reports, example patches, and plugin testing
- Andreas Schuster for his work on poison ivy plugins for Windows
- Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities
- Philippe Teuwen for his work on the virtual box address space
- Santiago Vicente for his work on the citadel plugins for Windows
If you want to learn more about Volatility 2.3 or just hang out with the
Volatility development team, I encourage you to register for the Open
Memory Forensics Workshop 2013. Please register quickly, we will be
ending registration by COB Friday, October 25 (Today). There have been a
couple last minute cancellations, so you may still have a chance to
reserve a seat!
