Dear Vol-users:
First and foremost thanks to the creators of volatility for this amazing tool.
I've been struggling to create a proper linux profile to analyze a memory dump from an Ubuntu 12.04.3 LTS machine created with fmem. The dump was split into several files which I combined using cat.
I don't have access to the physical machine just some snapshot info, and have been trying to gather all the information I need in order to create the proper profile as follows:
I grepped through /var/log/kern.log to find the kernel version that was running and got this:
Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
Also grep through kern.log for CPU and get:
CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know to utilize 64-bit architecture.
So to create the profile, I've installed a virtual machine running Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic. I have a different processor core on the virtual machine Im using to build the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)
I followed the instructions to a T on generating modules.dwarf using the included volatility toolset, copying the Systems.map file, zipping them together, etc.
Run the required
python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64 - A Profile for Linux 3.2.0-52-genericX_64 x64
Linux4cpuprofilex64 - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86 - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64 - A Profile for Linux Ubuntu_12_04_3_X64 x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux kernel-3.2.0-52-generic x86
and all seems well. (The LinuxUbuntu_12_04_3_X64x64 is for kernel 3.2.0-53-generic)
Now when I run the following with -dd flag for debug I get the following (Sorry for length of debug msg)
python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fe1d90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xffffffff
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys at 0xfffff8104eff0L
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Failed valid Address Space check
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff070L
DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff040L
DEBUG1 : volatility.obj : None object instantiated: No suggestions available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xffffffff
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
The error must have something to do with the way that I'm generating the profile (at least I think something is off) but I can't for the life of me figure out what the problem is. I truly appreciate any light that a vol expert out there may able to shed on what I need to do differently. Thanks very much.