Re: [Vol-users] OSX and Volatility
3 Jun
2016
3 Jun
'16
10:30 a.m.
As a quick check, can you verify that mac_get_profile matches the one
you are using? Don't specify --profile when running it.
Thanks,
Andrew (@attrc)
On 06/03/2016 03:09 AM, Rob Hunter wrote:
Hello list,
I’m trying to use Volatility on an OSX memory dump. I was unable to
download mac memory reader as the site is offline. I’ve used osxpmem
from recall.
The commands I used to perform the dump were:
sudo kextutil MacPmem.kext
sudo ./osxpmem --format elf -o ./ram.dump
I then moved ram.dump into my volatility directory
To check my downloaded profile is included I’ve run the command
./volatility_2.5_mac --plugins=./mac —imageinfo
and then I ran
./volatility_2.5_mac --plugins=./mac
--profile=MacElCapitan_10_11_4_15E65x64 -f ../ram.dump mac_pslist
and got
Volatility Foundation Volatility Framework 2.5
Offset Name Pid Uid Gid PGID
Bits DTB Start Time
------------------ -------------------- -------- -------- --------
-------- ------------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x4034b50
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Apparently my OSXPmemElf signature is invalid. What can I do to dump
memory with a valid signature? Or does my problem lie elsewhere?
Regards,
Rob
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users