Hi,
I am trying to use volatility under linux image. I am a newbie of volatility
so that I'm find troubles to use it.
most of plugin seems dont work... look:
In [7]: plugins.mount
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/user/src/lin64-support/<ipython-input-7-bdbca450f1fd> in <module>()
----> 1 plugins.mount
AttributeError: 'Container' object has no attribute 'mount'
.....
.....
.....
but some works, look:
In [8]: plugins.ifconfig
------> plugins.ifconfig()
lo 127.0.0.1 00:00:00:00:00:00
eth0 192.168.1.226 f0:4d:a2:ae:f2:2c
eth1 0.0.0.0 00:00:00:00:00:00
Anyone could help me to use volatility plugins under linux ?
thanks very much
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Offerte all inclusive in Romagna. Speciale Agosto da Euro 480,00 Speciale
Settembre da Euro 295. Terzo letto Gratis e Quarto scontato al 50%
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12594&d=20120817
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Offerta Nordic walking Festival dal 7 al 9 settembre a Riccione e Misano con le proposte hotel di Costahotels della riviera romagnola per tutti gli appassionati di questo sport salutare
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12585&d=17-8
I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions.
Dear all,
I am Andri Heriyanto. I am just starting to use Volatility as the tools
for analyzing the memory. I am using Python-2.7.3 and already installed
Volatility ver 2.1 on both OS: Windows 7 64-bit and Linux Ubuntu 12.04 LTS
32-bit, unfortunately I could not resolve the problem on pycrypto.
Especially on the Linux Ubuntu 12.04 LTS, there is always a notification
of an error like this:
ERROR : root : code for hash sha224 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha224
ERROR : root : code for hash sha256 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha256
ERROR : root : code for hash sha384 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha384
ERROR : root : code for hash sha512 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha512
Sorry for my simple question, but I've tried googling to sort this things
out, but I still could not solve it.
Thank you very much in advance for any support and suggestion.
Cheers
https://code.google.com/p/volatility/
We are very excited to announce the official release of Volatility 2.1!
While the main goal of this release was to get x64 support into an
official release, we also sneaked in a number of interesting new
capabilities! Highlights of this release include:
New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
Majority of Existing Plugins Updated with x64 Support
Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
Expanded Operating System Profiles:
Windows XP SP1, SP2 and SP3 x86
Windows XP SP1 and SP2 x64 (there is no SP3 x64)
Windows Server 2003 SP0, SP1, and SP2 x86
Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
Windows Vista SP0, SP1, and SP2 x86
Windows Vista SP0, SP1, and SP2 x64
Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
Windows Server 2008 R2 SP0 and SP1 x64
Windows 7 SP0 and SP1 x86
Windows 7 SP0 and SP1 x64
Plugin Additions (Now Over 70+ Analysis Plugins!):
Printing Process Environment Variables (envvars)
Inspecting the Shim Cache (shimcache)
Profiling Command History and Console Usage (cmdscan, consoles)
Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
Plugin Enhancements:
Verbose details for kdbgscan and kpcrscan
idt/gdt/timers plugins cycle automatically for each CPU
apihooks detects LSP/winsock procedure tables
New Output Formatting Support (Table Rendering)
New Mechanism for Profile Modifications
New Registry API Support
New Volshell Commands
Updated Documentation and Command Reference
In particular, I also wanted to take this opportunity to recognize those
on the development team who helped push to make this release possible:
Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy.
These are the people who make a number of sacrifices in their own personal
lives to continue to bring you the most advanced memory forensics
framework in the world! If you appreciate the hard work they put into
Volatility, I encourage you to Support Open Source Forensics Developers
(SOSFD). Finally, shoutz to the Volatility Community for their continued
support and feedback!
As an added bonus, we will also be releasing Volatility 2.2 at the Open
Memory Forensics Workshop 2012 on October 2. This will be your only
opportunity to learn about all the new features in 2.1 and 2.2 from the
actual Volatility development team. Please register early. Seats are
filling up fast!
The Volatility Project
This may just be an "aspect" of the Windows version.
Win7, Python 2.7.3, Volatility 2.1 RC3.
After receiving MLH's direction on getting "conf-file" to work on
Windows, I set the profile and location in my conf file.
Works fine:
python <pathTo>\vol.py --conf-file="<my conf file>"
--plugins="<pathToMyPlugins>" someSillyPlugin
Does NOT work:
python <pathTo>\vol.py --plugins="<pathToMyPlugins>"
--conf-file="<my conf file>" someSillyPlugin
The error:
__main__ : Please specify a location (-l) or filename (-f)
I don't know if this is also true on non-Windows systems.
Skippy
Just tried the 2.1 RC3 version and got the errors below.
Then did the 'python setup.py clean' command followed by repeating the
install command 'python setup.py install'.
Still no difference. No errors produced during install. Egg was
built and copied.
Using Win7 and Python 2.7.3.
D:\Forensics>python %PYTHON_SCRIPTS%\vol.py -h
Volatile Systems Volatility Framework 2.1_rc3
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp1_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.win7_sp0_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp1_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.vista_sp1_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.win7_sp1_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.vista_sp2_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.xp_sp3_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp0_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.xp_sp2_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import volatility.plugins.overlays.windows.vista_sp0_x86
(AttributeError: 'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k3_sp2_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
*** Failed to import
volatility.plugins.overlays.windows.win2k8_sp2_x86 (AttributeError:
'module' object has no attribute 'xpsp2_types')
Usage: Volatility - A memory forensics analysis platform.
Hi,
I'm trying to analyze linux memory dumps with scudettesbranch r2040, but it
doesn't seems to work.
Is there something I do wrong?
*Ubuntu 11.04 64bit (acquired with lime, padded format)*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\Lime\Ubuntu-11.04-64-bit\u64.padded"
In [2]: session.profile_file = "N:\Lime\Ubuntu-11.04-64-bit\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
WARNING:root:comm has no offset in object task_struct. Check that vtypes
has a concrete definition for it.
WARNING:root:name has no offset in object net_device. Check that vtypes has
a concrete definition for it.
WARNING:root:s_id has no offset in object super_block. Check that vtypes
has a concrete definition for it.
WARNING:root:sun_path has no offset in object sockaddr_un. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:name has no offset in object module. Check that vtypes has a
concrete definition for it.
Offset Name Pid Uid
ERROR:root:Error: Type task_struct has no member tasks
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
<ipython-input-4-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
42
43 # walk the ->tasks list, note that this will *not* display
"swapper"
---> 44 for task in init_task.tasks:
45 yield task
46
H:\Volatility\Scudette\volatility\obj.pyc in __getattr__(self, attr)
921 if attr not in self.members:
922 raise AttributeError("Type {0} has no member
{1}".format(
--> 923 self.obj_name, attr))
924
925 return self.m(attr)
AttributeError: Type task_struct has no member tasks
*Ubuntu 11.04 64bit (acquired with lime, raw format)*
*
*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Ubuntu-11.04-64-bit\\u64.raw"
In [2]: session.profile_file =
"N:\\Lime\\Ubuntu-11.04-64-bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
WARNING:root:comm has no offset in object task_struct. Check that vtypes
has a concrete definition for it.
WARNING:root:name has no offset in object net_device. Check that vtypes has
a concrete definition for it.
WARNING:root:s_id has no offset in object super_block. Check that vtypes
has a concrete definition for it.
WARNING:root:sun_path has no offset in object sockaddr_un. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that
vtypes has a concrete definition for it.
WARNING:root:name has no offset in object module. Check that vtypes has a
concrete definition for it.
Offset Name Pid Uid
Out[4]: <volatility.plugins.linux.pslist.LinuxPsList at 0x2e50930>
*Fedora 15 32bit (acquired with lime, raw format)*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.raw"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "standard"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-6-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running
tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
*Fedora 15 32bit (virtual box snapshot)*
*
*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "V:\\VM\\Fedora Core 15
32-bit\\Snapshots\\2012-07-17T14-50-40-994836400Z.sav"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "vboxelf"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-7-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls,
*args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self,
outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s}
{3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid),
str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running
tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
*The analysis works with Windows XP SP3*
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "W:\XP SP3\XP SP3-Snapshot7.vmem"
In [2]: session.profile = profiles.WinXPSP3x86
In [3]: vol plugins.pslist
------> vol(plugins.pslist)
Offset (V) Name PID PPID Thds Hnds Sess Wow64
Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------
-------------------- --------------------
0x867c49c8 System 4 0 54 216 ------ False
- -
0x8656b020 smss.exe 556 4 3 17 ------ False
2008-11-19 19:30:19 -
[...]
Out[3]: <volatility.plugins.windows.taskmods.WinPsList at 0x21668f0>
Thanks in advance for your help!
Sebastien
Hey everyone,
The 2.1 RC1 downloads are now available [1]. Per the usual, there are zip
and tar archives of the source code, a windows module installer, and a
standalone windows executable (with python and all dependencies
build-in). We ask that you test vigorously over the next 2 weeks,
especially with any x64 images, and let us know via the issue tracker [2]
if you run into any bugs. At the end of July, we'll announce the official
release of 2.1.
Also, a lot of the documentation [3] has been updated, including the FAQ,
command reference, features by plugin matrix, and roadmap, so that may be a
useful resource to you when using 2.1.
Thank you very much!
[1]. http://code.google.com/p/volatility/downloads/list
[2]. http://code.google.com/p/volatility/issues/list
[3]. http://code.google.com/p/volatility/w/list
