Re: [Vol-users] Analyzing memory from a QEMU snapshot
4 May
2016
4 May
'16
11:24 a.m.
Hey Thomas,
Did you verify that the kernel version was exactly the same? It is not
so much the OS version (e.g, version of Debian), but it is that the
kernel versions must match *exactly*. If you still have access to each
machine you can compare the "uname -r" output to see - if these differ
then the profile won't work.
If you can't get a VM with the exact kernel version, then you can just
download the correct kernel headers from the debian repo and then:
1) cd tools/linux (inside volatility source checkout)
2) edit Makefile.enterprise to point KDIR to where you extracted the headers
3) run: make -f Makefile.enterprise
Please let me know if you have any questions.
Thanks,
Andrew (@attrc)
On 05/04/2016 09:35 AM, Thomas Hungenberg wrote:
On 04.05.2016 16:25, Adam Pridgen wrote:
Which profile are you using? You should create a
profile for the Linux VM
you are trying to analyze. I have had to do this for several clean
installs of Ubuntu because of Linux kernel versions.
I set up a fresh VM with Debian Linux in the same version the virtual
server was running. Next, I installed the kernel image and related files
extracted from the virtual harddisk on this new VM to get a Linux system
running exactly the same kernel version. Then I created a Volatility
profile on this VM.
- Thomas
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
.