# cat /etc/redhat-release CentOS release 5.10 (Final) # uname -rm 2.6.18-371.4.1.el5 x86_64 # dwarfdump -V Fri Jan 31 07:36:46 PST 2014 ]# rpm -qa | grep kernel-devel kernel-devel-2.6.18-371.el5 kernel-devel-2.6.18-371.4.1.el5 # pwd /opt/volatility-2.3.1/tools/linux # make make -C //lib/modules/2.6.18-371.4.1.el5/build CONFIG_DEBUG_INFO=y M=/opt/volatility-2.3.1/tools/linux modules make[1]: Entering directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64' CC [M] /opt/volatility-2.3.1/tools/linux/module.o /opt/volatility-2.3.1/tools/linux/module.c:303:5: warning: "STATS" is not defined /opt/volatility-2.3.1/tools/linux/module.c:319:5: warning: "DEBUG" is not defined Building modules, stage 2. MODPOST CC /opt/volatility-2.3.1/tools/linux/module.mod.o LD [M] /opt/volatility-2.3.1/tools/linux/module.ko make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64' dwarfdump -di module.ko > module.dwarf make -C //lib/modules/2.6.18-371.4.1.el5/build M=/opt/volatility-2.3.1/tools/linux clean make[1]: Entering directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64' CLEAN /opt/volatility-2.3.1/tools/linux/.tmp_versions make[1]: Leaving directory `/usr/src/kernels/2.6.18-371.4.1.el5-x86_64' # ls -l module.dwarf -rw-r--r-- 1 root root 1198672 Feb 5 14:42 module.dwarf ]# ls -l /boot/System.map-2.6.18-371.4.1.el5 -rw-r--r-- 1 root root 1284091 Jan 30 03:44 /boot/System.map-2.6.18-371.4.1.el5 # zip CentOS5.10-test.zip /opt/volatility-2.3.1/tools/linux/module.dwarf /boot/System.map-2.6.18-371.4.1.el5 adding: opt/volatility-2.3.1/tools/linux/module.dwarf (deflated 90%) adding: boot/System.map-2.6.18-371.4.1.el5 (deflated 78%) # insmod lime-2.6.18-371.4.1.el5.ko path=~/memory.raw format=raw ## Copied memory.raw and CentOS5.10-test.zip to a different system for analysis # ls -l -rw-r--r-- 1 geoff citsirt 405279 Feb 5 14:46 CentOS5.10-test.zip -r--r--r-- 1 geoff citsirt 1073147904 Feb 5 08:59 memory.raw # strings -n 6 memory.raw | grep 'Linux version' | head -n1 | awk '{print $1,$2,$3,$4}' Linux version 2.6.18-371.4.1.el5 (mockbuild@builder10.centos.org) # python $VOLDIR/vol.py --plugins=. --info | grep CentOS Volatility Foundation Volatility Framework 2.3.1 LinuxCentOS5_10-testx64 - A Profile for Linux CentOS5.10-test x64 # python /data/download/apps/forensic_tools/volatility/vol.py --plugins=. -f memory.raw --profile=LinuxCentOS5_10-testx64 -dd linux_pslist Volatility Foundation Volatility Framework 2.3.1 DEBUG : volatility.plugins.overlays.linux.linux: CentOS5.10-test: Found dwarf file boot/System.map-2.6.18-371.4.1.el5 with 378 symbols DEBUG : volatility.plugins.overlays.linux.linux: CentOS5.10-test: Found system file boot/System.map-2.6.18-371.4.1.el5 with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay DEBUG : volatility.obj : Applying modification from Linux64ObjectClasses DEBUG : volatility.plugins.overlays.linux.linux: CentOS5.10-test: Found dwarf file boot/System.map-2.6.18-371.4.1.el5 with 378 symbols DEBUG : volatility.plugins.overlays.linux.linux: CentOS5.10-test: Found system file boot/System.map-2.6.18-371.4.1.el5 with 1 symbols DEBUG : volatility.obj : Applying modification from BashTypes DEBUG : volatility.obj : Applying modification from BasicObjectClasses DEBUG : volatility.obj : Applying modification from ELF64Modification DEBUG : volatility.obj : Applying modification from HPAKVTypes DEBUG : volatility.obj : Applying modification from LimeTypes DEBUG : volatility.obj : Applying modification from MachoTypes DEBUG : volatility.obj : Applying modification from MbrObjectTypes DEBUG : volatility.obj : Applying modification from VMwareVTypesModification DEBUG : volatility.obj : Applying modification from VirtualBoxModification DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay DEBUG : volatility.obj : Applying modification from LinuxMountOverlay DEBUG : volatility.obj : Applying modification from LinuxObjectClasses DEBUG : volatility.obj : Applying modification from LinuxOverlay DEBUG : volatility.obj : Applying modification from Linux64ObjectClasses Offset Name Pid Uid Gid DTB Start Time ------------------ -------------------- --------------- --------------- ------ ------------------ ---------- DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space DEBUG : volatility.utils : Trying DEBUG : volatility.utils : Succeeded instantiating DEBUG : volatility.utils : Voting round DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF64 Header signature invalid DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating VMWareSnapshotFile: Invalid VMware signature: 0x11063 DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Failed valid Address Space check DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxCentOS5_10-testx64 selected DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Incompatible profile LinuxCentOS5_10-testx64 selected DEBUG : volatility.utils : Trying DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space DEBUG : volatility.utils : Trying DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff00cL DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff000L DEBUG1 : volatility.obj : None object instantiated: No suggestions available DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x11063 WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxCentOS5_10-testx64 selected IA32PagedMemory: Incompatible profile LinuxCentOS5_10-testx64 selected FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check