Mike - thanks so much for replying
***************************************************************************************************
This is the terminal output for the lipo commands:
qbl-mbp:~ qubyte$ lipo -info /usr/local/lib/libewf.dylib
Non-fat file: /usr/local/lib/libewf.dylib is architecture: x86_64
qbl-mbp:~ qubyte$ lipo -info `which python`
Architectures in the fat file:
/Library/Frameworks/Python.framework/Versions/2.6/bin/python are: ppc i386
***************************************************************************************************
Output from from the versioner command:
qbl-mbp:volatility2.0 qubyte$ VERSIONER_PYTHON_PREFER_32_BIT=yes python
vol.py -h
Volatile Systems Volatility Framework 2.0
*** Failed to import volatility.plugins.addrspaces.ewf (OSError:
dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find:
/usr/local/lib/libewf.dylib: mach-o, but wrong architecture)
I have also cc'd Joachim Metz on this in case he has some insight. Joachim
- in case you have time to read this i am encountering this error with
libewf and volatility 2.0 when running volatitlity (mac ox 10.6.8 with
libewf 20100226; this version of libewf is used to due to TSK 3.2.2):
*** Failed to import volatility.plugins.addrspaces.ewf (OSError:
dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find:
/usr/local/lib/libewf.dylib: mach-o, but wrong architecture)
Thanks to the vol group and joachim for taking the time to read this! I
look forward to the next set of ideas! :)
Cheers
Shafik
On Tue, Aug 9, 2011 at 11:00 AM, <vol-users-request(a)volatilityfoundation.org>wrote:
> lipo -info `which python`
Hello List!
I have been fighting with this issue since volatility 1.4 RC1. I am not
able to figure out why it cannot locate the correct libewf library. I have
uninstalled and reinstalled from source the libewf 20100226 stable version.
Can anyone assist me with this
Terminal output:
qbl-mbp:volatility2.0 qubyte$ python vol.py -h
Volatile Systems Volatility Framework 2.0
*** Failed to import volatility.plugins.addrspaces.ewf (OSError:
dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find:
/usr/local/lib/libewf.dylib: mach-o, but wrong architecture)
Usage: Volatility - A memory forensics analysis platform.
OS: Mac OS X 10.6.8
Python:
qbl-mbp:~ qubyte$ python
Python 2.6.6 (r266:84374, Aug 31 2010, 11:00:51)
[GCC 4.0.1 (Apple Inc. build 5493)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>>
Any help would be greatly appreciated...and please dont assume that I know
my well around terminal shell..I am still a newbie and learning lots!
Thanks!
Shafik
__________________________________
Shafik Punja
BSc, A+, CISSP, Network+, ACE, CCE
Senior Technical Officer
*QuByte Logic Ltd*
612-500 Country Hills Blvd NE, Suite #404
Calgary, AB CANADA T3K 5K3
ph: 403.909.6120
em: shafghp(a)gmail.com or shafik(a)qubytelogic.com
wp: http://www.qubytelogic.com
All
I've had great success using recipes out of the Malware Analyst Cookbook. I particularly like the recipe involving mutantscandb and compare the mutexes in a binary under investigation with those in my sqlite3 database.
Can anyone tell me how to trace the observed suspicious mutexes in a mutantscandb scan with the process/binary that owns that mutex?
Jim
~~~~~~~~~~~~~~~~~~~~~~
ACK and you shall receive
Hi all,
I'm using "Volatility-1.3_Beta" in a college project. I have a question
regarding the 'memdmp' module.
I use a 1GB memory dump from Windows XP SP2. Dumped using the tool win32dd.
After extracting the list of running processes, I dump the addressable
memory for each process using the command:
python volatility memdmp -f *my_1GB_memory_dump *-p 1234
The output for each process is a very large PID.dmp. On average each PID.dmp
is about 200MB.
So, after extracting the memory for the first 5 processes (out of a total of
64 processes), I have already exceeded the size of the RAM dump (1 GB).
I know that some processes will use DLL's and that this may become part of
the addressable memory for that process.
But can anyone explain to me why the dump files are so large? Is it possible
to just extract memory for each process so that the total is approx. equal
to the RAM dump?
Looking at the code for mem_dump, I can see:
File: vmodules.py
mem_dump(...)
...
entries = process_address_space.get_available_pages()
for entry in entries:
data = process_address_space.read(entry[0],entry[1])
ohandle.write("%s"%data)
File: forensics/x86.py
def get_available_pages(self):
page_list = []
pgd_curr = self.pgd_vaddr
for i in range(0,ptrs_per_pgd):
start = (i * ptrs_per_pgd * ptrs_per_pte * 4)
entry = self.read_long_phys(pgd_curr)
pgd_curr = pgd_curr + 4
if self.entry_present(entry) and self.page_size_flag(entry):
page_list.append([start, 0x400000])
elif self.entry_present(entry):
pte_curr = entry & ~((1 << page_shift)-1)
for j in range(0,ptrs_per_pte):
pte_entry = self.read_long_phys(pte_curr)
pte_curr = pte_curr + 4
if self.entry_present(pte_entry):
page_list.append([start + j * 0x1000, 0x1000])
return page_list
I'm not a Python programmer, but it appears that the method:
get_available_pages() is searching across the 4KB page files, looking for
physical addresses belonging to the specific process. Then the data at these
physical addresses is extracted. The lower level details of these commands
are currently beyond my reach.
Any help is greatly appreciated,
Regards,
Derek.
vol-users: I wanted to give you the inside track on registering for OMFW.
Tomorrow, I will be posting the announcement to the Volatility tumblr for
wider distribution. Pre-registration is required and space is limited, so
register early.
https://www.volatilityfoundation.org/default/omfw
Volatile memory forensics (ie., RAM forensics) has proven one of the most
exciting and important topics to the future of digital investigations. It
has dramatically transformed the way we perform digital investigations and
helped provide a path for addressing many of the challenges we currently
face.
OMFW is the only digital forensics workshop focused on providing a venue
for the most advanced digital investigators. It is intended for those
people who realize that the only real defense against a creative technical
human adversary is a creative technical human analyst. No shady vendors
trying to describe how they re-implemented open source tools or boisterous
trainers attempting to discuss topics they only superficially understand.
This is your opportunity to learn directly from an international cadre of
pioneering researchers and practitioners who have been shaping the field
of memory analysis since its inception. Through a series of invited talks
and panel discussions you will have the opportunity to engage this
exciting community. At the end of the day, the attendees will have the
opportunity to work through a challenging memory analysis skills exercise
with the assistance of your expert speakers. Join with industry leaders to
discuss the latest advancements in memory forensics and the importance of
open source initiatives. This is your opportunity to help shape the future
of memory forensics!
AW
Curt,
You always ask the good questions...We are currently in the process of
finalizing the specifics of the logistics. My goal was to get this email
out and see if there was anyone else interested in speaking. I will send
an update by the end of the week discussing the "where and when..".
Hope all is well!
AW
On Wed, 13 Apr 2011, Curt Wilson wrote:
>
> AAron,
>
> Is there a date and location?
>
> Thanks
> Curt Wilson
>
>
> On 4/12/2011 10:21 PM, AAron Walters wrote:
>>
>> After the amazing success of OMFW 2008 and a <cough>little</cough>
>> hiatus, we are currently in the process of planning OMFW 2011. OMFW is
>> the single most important event for those who are interested in the
>> deep technical aspects of digital investigations and forensics. It is
>> intended for those people who realize the only real defense against a
>> creative technical human adversary is creative technical human
>> analyst. No shady vendors trying to describe how they re-implemented
>> open source tools or boisterous trainers attempting to discuss topics
>> they only superficially understand. This is your opportunity to learn
>> directly from an international cadre of pioneering researchers and
>> practitioners who have been shaping the field of memory analysis since
>> its inception.
>>
>> If you are interested in getting involved or have an exciting topic
>> you would like to present, please let the team know. For those who
>> want to attend, please be sure to check back frequently for
>> registration details. Due to the overwhelming response in 2008, we
>> were not able to fulfill all the registration requests, so please be
>> sure to register early! There will be a number of surprises and I
>> guarantee it will be an event you won't want to miss! Check out what
>> previous attendees of OMFW have said:
>>
>> "AAron was able to bring together an outstanding group of folks
>> interested in "memory forensics" and there was some spirited
>> discussion among the participants along with some really outstanding
>> talks/demos. It was also great to be able to put faces to folks who
>> until then had only been handles in IRC or names on e-mail/blog posts
>> in the past."
>> -Jim Clausing: SANS Internet Storm Center Handler
>>
>> "My first impression of the event was that the underground could have
>> set digital forensics back 3-5 years if they had attacked our small
>> conference room. Where else do you have Eoghan Casey, Brian Carrier,
>> Harlan Carvey, Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr.,
>> Jesse Kornblum, Andreas Schuster, Aaron Walters, et al, in the same
>> room? I thought Brian Dykstra framed the situation properly when
>> asking the following: "I know this is an easy question for all you
>> 'beautiful minds,' but...""
>> -Richard Bejtlich: TaoSecurity
>>
>>
>> Current invited speakers include:
>>
>> Andrew Case (attc)
>> Michael Cohen (scudette)
>> Brendan Dolan-Gavitt (moyix)
>> Jamie Levy (gleeda)
>> Michael Hale Ligh (MHL)
>> AAron Walters
>>
>> More to be announced....
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> --
> ---
> Curt Wilson - Perpetual Horizon Security Research
> SIUC IT Security Officer + Security Engineer
>
After the amazing success of OMFW 2008 and a <cough>little</cough> hiatus,
we are currently in the process of planning OMFW 2011. OMFW is the single
most important event for those who are interested in the deep technical
aspects of digital investigations and forensics. It is intended for those
people who realize the only real defense against a creative technical
human adversary is creative technical human analyst. No shady vendors
trying to describe how they re-implemented open source tools or boisterous
trainers attempting to discuss topics they only superficially understand.
This is your opportunity to learn directly from an international cadre of
pioneering researchers and practitioners who have been shaping the field
of memory analysis since its inception.
If you are interested in getting involved or have an exciting topic you
would like to present, please let the team know. For those who want to
attend, please be sure to check back frequently for registration details.
Due to the overwhelming response in 2008, we were not able to fulfill all
the registration requests, so please be sure to register early! There will
be a number of surprises and I guarantee it will be an event you won't
want to miss! Check out what previous attendees of OMFW have said:
"AAron was able to bring together an outstanding group of folks interested
in "memory forensics" and there was some spirited discussion among the
participants along with some really outstanding talks/demos. It was also
great to be able to put faces to folks who until then had only been
handles in IRC or names on e-mail/blog posts in the past."
-Jim Clausing: SANS Internet Storm Center Handler
"My first impression of the event was that the underground could have set
digital forensics back 3-5 years if they had attacked our small conference
room. Where else do you have Eoghan Casey, Brian Carrier, Harlan Carvey,
Michael Cohen, Brendan Dolan-Gavitt, George Garner Jr., Jesse Kornblum,
Andreas Schuster, Aaron Walters, et al, in the same room? I thought Brian
Dykstra framed the situation properly when asking the following: "I know
this is an easy question for all you 'beautiful minds,' but...""
-Richard Bejtlich: TaoSecurity
Current invited speakers include:
Andrew Case (attc)
Michael Cohen (scudette)
Brendan Dolan-Gavitt (moyix)
Jamie Levy (gleeda)
Michael Hale Ligh (MHL)
AAron Walters
More to be announced....
