"The dump was split into several files which I combined using cat."

That's your problem.  You took all the System RAM ranges and concatenated them in such a way that volatility has no idea what the ranges were so it's not going to work well for you. Try using LiME instead. https://code.google.com/p/lime-forensics/

On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100@gmail.com> wrote:
Dear Vol-users:

First and foremost thanks to the creators of volatility for this amazing tool. 

I've been struggling to create a proper linux profile to analyze a memory dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump was split into several files which I combined using cat. 

I don't have access to the physical machine just some snapshot info, and have been trying to gather all the information I need in order to create the proper profile as follows:

I grepped through /var/log/kern.log to find the kernel version that was running and got this: 

Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)

Also grep through kern.log for CPU and get:

CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know to utilize 64-bit architecture. 


So to create the profile, I've installed a virtual machine running Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I have a different processor core on the virtual machine Im using to build the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)

I followed the instructions to a T on generating modules.dwarf using the included volatility toolset, copying the Systems.map file, zipping them together, etc. 

Run the required

python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64    - A Profile for Linux 3.2.0-52-genericX_64 x64
Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux Ubuntu_12_04_3_X64 x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux kernel-3.2.0-52-generic x86

and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel 3.2.0-53-generic)

Now when I run the following with -dd flag for debug I get the following (Sorry for length of debug msg)

 python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fe1d90>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xffffffff
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.obj      : None object instantiated: Unable to read_long_long_phys at 0xfffff8104eff0L
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: Could not read_long_phys at offset 0x3ffffffff070L
DEBUG1  : volatility.obj      : None object instantiated: Could not read_long_phys at offset 0x3ffffffff040L
DEBUG1  : volatility.obj      : None object instantiated: No suggestions available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xffffffff
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
 IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check


The error must have something to do with the way that I'm generating the profile (at least I think something is off) but I can't for the life of me figure out what the problem is.  I truly appreciate any light that a vol expert out there may able to shed on what I need to do differently.  Thanks very much. 


  


 

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users