What I do have is /dev/mem; kmem; ram, everything in /dev.  


Can I potentially get the required info from there or dump the contents of /dev/mem? 

My understanding is that since this is a later kernel version, /dev/mem provides only limited access.  

On Sun, Sep 7, 2014 at 11:14 PM, Josh Horowitz <joshh100@gmail.com> wrote:
Unfortunately not, I just have a snapshot of the machine and /proc is empty.  I have access to the logs from /var/log, is there any information I can use from there to construct the proper profile?  

Or any other suggestions perhaps?  I'm thinking of finding the exact system build and model number, perhaps somewhere in the user manual or specs I can find the required info? 

And then once I do, still not entirely sure what needs to be done with it..   

On Sun, Sep 7, 2014 at 11:03 PM, Joe Sylve <joe.sylve@gmail.com> wrote:
Do you know the original physical memory ranges?  Can you cat /proc/iomem on the source system (they shouldn't have changed).  If so you can create a padded memory image by concatenating the memory images you have and filling in the gaps in the physical memory ranges with 0s. 

On Sun, Sep 7, 2014 at 10:00 PM, Josh Horowitz <joshh100@gmail.com> wrote:
Hi Joe: 

Thanks very much for your response.  Unfortunately I don't have the option to use LIME to go back and capture the memory again.  What I have are several .dd files that were created using fmem, e.g., dump00.dd, dump01.dd, and so on.  

I used cat to combine all the .dd files into one, which now makes sense as having been foolish.  Although I did also try the profile against the individual .dd files with the same result.  

I'll go back and do it again to see what happens..  In the mean time any other suggestions would be truly appreciated.  

On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve@gmail.com> wrote:
"The dump was split into several files which I combined using cat."

That's your problem.  You took all the System RAM ranges and concatenated them in such a way that volatility has no idea what the ranges were so it's not going to work well for you. Try using LiME instead. https://code.google.com/p/lime-forensics/

On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100@gmail.com> wrote:
Dear Vol-users:

First and foremost thanks to the creators of volatility for this amazing tool. 

I've been struggling to create a proper linux profile to analyze a memory dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump was split into several files which I combined using cat. 

I don't have access to the physical machine just some snapshot info, and have been trying to gather all the information I need in order to create the proper profile as follows:

I grepped through /var/log/kern.log to find the kernel version that was running and got this: 

Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)

Also grep through kern.log for CPU and get:

CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know to utilize 64-bit architecture. 


So to create the profile, I've installed a virtual machine running Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I have a different processor core on the virtual machine Im using to build the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)

I followed the instructions to a T on generating modules.dwarf using the included volatility toolset, copying the Systems.map file, zipping them together, etc. 

Run the required

python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64    - A Profile for Linux 3.2.0-52-genericX_64 x64
Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux Ubuntu_12_04_3_X64 x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux kernel-3.2.0-52-generic x86

and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel 3.2.0-53-generic)

Now when I run the following with -dd flag for debug I get the following (Sorry for length of debug msg)

 python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: need base
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No base Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fe1d90>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xffffffff
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.obj      : None object instantiated: Unable to read_long_long_phys at 0xfffff8104eff0L
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: Could not read_long_phys at offset 0x3ffffffff070L
DEBUG1  : volatility.obj      : None object instantiated: Could not read_long_phys at offset 0x3ffffffff040L
DEBUG1  : volatility.obj      : None object instantiated: No suggestions available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xffffffff
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
 IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check


The error must have something to do with the way that I'm generating the profile (at least I think something is off) but I can't for the life of me figure out what the problem is.  I truly appreciate any light that a vol expert out there may able to shed on what I need to do differently.  Thanks very much. 


  


 

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users