Oh, also if you copied the ethscan plugin to your volatility/plugins directory, don't use the --plugins option
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Hey Gang
I'm a total noob with eForensics so I'm on the learning curve. I can get volitility to work on Windows memory images but not with Mac memory images. I've downloaded the Mac profiles, unzipped it and moves the files to the location indicated in the article, but when I run the info command the profiles aren't listed. Is there another step in the enable process?
TIA
Marty
Sent from my iPad
Type at the prompt:
sudo make clean
and try again
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilesystems.com>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>>
>>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilesystems.com
>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
Try:
sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
First: --plugins takes in either a directory or a zipfile, not a plugin
Second: You didn't specify which plugin to run (ethscan)
-----Original Message-----
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 10:41:47
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Help to add new plugin
Sorry I had a typo i didn´t write --profile=Win7SP1x64
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
I have the same error of ever :(
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
Thanks!!
El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
> Hi @Jamie and list
>
> Thanks very much for your support ;)
>
> I’ve same errors when i’m executing: :(
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>
> The error:
>
> Volatility Foundation Volatility Framework 2.3.1
> ERROR : __main__ : You must specify something to do (try -h)
>
> Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about?
>
> On the other hand, i found a brief tutorial about ethscan:
>
> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>
> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>
> The execution of the vol.py command is different……. :(
>
> He does not the flag —-plugin=
>
> Thanks for all!!
>
> Ps: My apologies for my level of english
>
>
> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>
>> Hi David,
>>
>> I think you might have also asked this on the channel. So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin. If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:
>>
>> http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>
>> Let me know if you have any other questions.
>>
>> All the best,
>>
>> -gleeda
>>
>>
>>
>>
>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante(a)gmail.com> wrote:
>> Hello list,
>>
>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>
>> Can I use the flag "--plugins=contrib/plugins"? o is there any method?
>>
>> The plugin that I want for add/use is:
>>
>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>
>> Thanks for your support!!
>>
>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
Hello All,
I'm new to Volatility.
Say I found the string "password=hello world" somewhere in the memory, is
there anyway for me to know which process that memory block is currently
allocated to?
--
matt
Hello list,
Please, I need some help about for add/use new plugins in volatility 2.3.1.
Can I use the flag "--plugins=contrib/plugins"? o is there any method?
The plugin that I want for add/use is:
https://code.google.com/p/jamaal-re-tools/source/checkout
Thanks for your support!!
Hi,
I am using winpmem 1.3.1 for imaging in volatility but whenever I tried to use any of feature of winpmem it gives
error: "Cannot open SCM? Are you administrator"
Where as I don't have any administrative passwords... So how can I solve this issue...???
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
As we previously sent to the list, the Volatility team will be holding
training sessions in San Diego in January and London in June:
http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi…
We have now also finalized plans for a training in NYC in May:
http://volatility-labs.blogspot.com/2013/10/2014-malware-and-memory-forensi…
These will be the only public trainings through August of next year,
and we have already received substantial interest in each one. If you
plan to attend do not wait until the last minute to contact us as for
our last several trainings we have had to turn away people once the
classroom fills. If your company is interested in a private training
or hosting a public training in exchange for a few free seats then
please let us know ASAP as these opportunities for 2014 will likely be
taken by other companies over the next month or two.
Finally, the Volatility team would like to thank everyone who came out
to OMFW and to those of you who attended our OSDFC talk and showed
support for the project. Over the next couple weeks we will be sending
out slides and updates from OMFW, and please reach out to us if you
have questions for any of the speakers that you did not get to ask in
person.
Thanks,
Andrew (@attrc)
Hi,
currently I'm preparing a Volatility Workshop ... and writing the docs I did
run several plugins. My test case contains a Win7SP1x64 image.
Everything is fine, except the contrib/malware plugins (poisonivy, zeus) did
complain about:
This command does not support the profile Win7SP1x64
No I get this error message also for timeliner!? But timeliner did work
correctly past weekend, using the _same_ Win7SPx64 image!
Using a different image containing WinXP timeliner does work correctly.
I'm using Revision 3532.
What did happen with timeliner?
Regards,
Thomas
