Re: [Vol-users] Analyzing memory from a QEMU snapshot

Hey Thomas, Did you verify that the kernel version was exactly the same? It is not so much the OS version (e.g, version of Debian), but it is that the kernel versions must match *exactly*. If you still have access to each machine you can compare the "uname -r" output to see - if these differ then the profile won't work. If you can't get a VM with the exact kernel version, then you can just download the correct kernel headers from the debian repo and then: 1) cd tools/linux (inside volatility source checkout) 2) edit Makefile.enterprise to point KDIR to where you extracted the headers 3) run: make -f Makefile.enterprise Please let me know if you have any questions. Thanks, Andrew (@attrc) On 05/04/2016 09:35 AM, Thomas Hungenberg wrote: > On 04.05.2016 16:25, Adam Pridgen wrote: >> Which profile are you using? You should create a profile for the Linux VM >> you are trying to analyze. I have had to do this for several clean >> installs of Ubuntu because of Linux kernel versions. > > I set up a fresh VM with Debian Linux in the same version the virtual > server was running. Next, I installed the kernel image and related files > extracted from the virtual harddisk on this new VM to get a Linux system > running exactly the same kernel version. Then I created a Volatility > profile on this VM. > > > - Thomas > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > . >