Re: [Vol-users] Unable to get working profile - Vol 2.2, OS X 10.8.2

Greetings, Two different samples, both fail for different reasons. These are supposedly raw memory samples collected from servers using FTK Imager. The one sample that generates a profile loads into Redline and produces all the normal info I'd expect. The other sample, the one that produces no results with imageinfo, may be bad. I've not loaded it into Redline yet. -David On Oct 4, 2012, at 3:14 PM, Jamie Levy &lt;jamie.levy(a)gmail.com&gt; wrote: > hrmmm strange... Am I missing something or are you asking about two > different samples? I see two different file names, but you're writing > this as if they are one. Are these raw memory samples? Do you have > any idea what the system might be? Have you tried any of the scanning > plugins? Which of these two samples did you run redline on and what > did you get back... any valid info? > > > > On Thu, Oct 4, 2012 at 2:58 PM, David Kovar &lt;dkovar(a)gmail.com&gt; wrote: >> Greetings, >> >> I am unable to get a viable profile for two different images. I built V2.2 on a MacBook Pro running 10.8.2. >> >> This one may be a bad image: >> >> <kdbgscan returns silently> >> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp kdbgscan >> Volatile Systems Volatility Framework 2.2 >> >> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp imageinfo >> Volatile Systems Volatility Framework 2.2 >> Determining profile based on KDBG search... >> >> Suggested Profile(s) : No suggestion (Instantiated with no profile) >> AS Layer1 : FileAddressSpace (/Users/kovar/Mem Analysis/redacted-27-09-2012-10-47-50.dmp) >> PAE type : No PAE >> >> ---------------- >> >> >> But this one loads in Mandiant Redline but Volatility will not produce any valid results. I've tried all three profiles with no success. >> >> DawnTreader:Mem Analysis kovar$ vol.py -f *mem imageinfo >> Volatile Systems Volatility Framework 2.2 >> Determining profile based on KDBG search... >> >> Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 >> AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) >> AS Layer2 : FileAddressSpace (/Users/kovar/Mem Analysis/redacted_memdump.mem) >> PAE type : PAE >> DTB : 0x1595000L >> KDBG : 0x808943e0 >> Number of Processors : 2 >> Image Type (Service Pack) : 2 >> KPCR for CPU 0 : 0xffdff000 >> KPCR for CPU 1 : 0xf772f000 >> KUSER_SHARED_DATA : 0xffdf0000 >> Image date and time : 2012-10-01 19:31:06 UTC+0000 >> Image local date and time : 2012-10-01 13:31:06 -0600 >> >> DawnTreader:Mem Analysis kovar$ vol.py -f *mem kdbgscan >> Volatile Systems Volatility Framework 2.2 >> ************************************************** >> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit) >> Offset (P) : 0x8943e0 >> KDBG owner tag check : True >> Profile suggestion (KDBGHeader): Win2003SP1x86 >> Version64 : 0x8943b8 (Major: 15, Minor: 3790) >> PsActiveProcessHead : 0x808ad0c8 >> PsLoadedModuleList : 0x808a6ea8 >> KernelBase : 0x80800000 >> >> ************************************************** >> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit) >> Offset (P) : 0x8943e0 >> KDBG owner tag check : True >> Profile suggestion (KDBGHeader): Win2003SP2x86 >> Version64 : 0x8943b8 (Major: 15, Minor: 3790) >> PsActiveProcessHead : 0x808ad0c8 >> PsLoadedModuleList : 0x808a6ea8 >> KernelBase : 0x80800000 >> >> ************************************************** >> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem Win2003SP0x86 (5.2.3789 32bit) >> Offset (P) : 0x8943e0 >> KDBG owner tag check : True >> Profile suggestion (KDBGHeader): Win2003SP0x86 >> Version64 : 0x8943b8 (Major: 15, Minor: 3790) >> PsActiveProcessHead : 0x808ad0c8 >> PsLoadedModuleList : 0x808a6ea8 >> KernelBase : 0x80800000 >> >> >> DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86 pslist >> Volatile Systems Volatility Framework 2.2 >> No suitable address space mapping found >> Tried to open image as: >> LimeAddressSpace: lime: need base >> WindowsHiberFileSpace32: No base Address Space >> WindowsCrashDumpSpace64: No base Address Space >> WindowsCrashDumpSpace32: No base Address Space >> AMD64PagedMemory: No base Address Space >> JKIA32PagedMemory: No base Address Space >> IA32PagedMemoryPae: Module disabled >> JKIA32PagedMemoryPae: No base Address Space >> IA32PagedMemory: Module disabled >> LimeAddressSpace: Invalid Lime header signature >> WindowsHiberFileSpace32: No xpress signature found >> WindowsCrashDumpSpace64: Header signature invalid >> WindowsCrashDumpSpace32: Header signature invalid >> AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected >> JKIA32PagedMemory: No valid DTB found >> IA32PagedMemoryPae: Module disabled >> JKIA32PagedMemoryPae: No valid DTB found >> IA32PagedMemory: Module disabled >> FileAddressSpace: Must be first Address Space >> >> >> ----- >> >> Thanks for any help you might be able to offer. >> >> -David >> >> _______________________________________________ >> Vol-users mailing list >> Vol-users(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > > -- > PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92