11 p.m.
Hi Joe:
Thanks very much for your response. Unfortunately I don't have the option
to use LIME to go back and capture the memory again. What I have are
several .dd files that were created using fmem, e.g., dump00.dd, dump01.dd,
and so on.
I used cat to combine all the .dd files into one, which now makes sense as
having been foolish. Although I did also try the profile against the
individual .dd files with the same result.
I'll go back and do it again to see what happens.. In the mean time any
other suggestions would be truly appreciated.
On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve(a)gmail.com> wrote:
"The dump was split into several files which I
combined using cat."
That's your problem. You took all the System RAM ranges
and concatenated them in such a way that volatility has no idea what the
ranges were so it's not going to work well for you. Try using LiME instead.
https://code.google.com/p/lime-forensics/
On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100(a)gmail.com> wrote:
Dear Vol-users:
First and foremost thanks to the creators of volatility for this amazing
tool.
I've been struggling to create a proper linux profile to analyze a memory
dump from an Ubuntu 12.04.3 LTS machine created with fmem. The dump was
split into several files which I combined using cat.
I don't have access to the physical machine just some snapshot info, and
have been trying to gather all the information I need in order to create
the proper profile as follows:
I grepped through /var/log/kern.log to find the kernel version that was
running and got this:
Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3
(Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
Also grep through kern.log for CPU and get:
CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I
know to utilize 64-bit architecture.
So to create the profile, I've installed a virtual machine running Ubuntu
12.04.3X64 and the identical kernel version: 3.2.0-53-generic. I have a
different processor core on the virtual machine Im using to build the
profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)
I followed the instructions to a T on generating modules.dwarf using the
included volatility toolset, copying the Systems.map file, zipping them
together, etc.
Run the required
python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64 - A Profile for Linux
3.2.0-52-genericX_64 x64
Linux4cpuprofilex64 - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86 - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64 - A Profile for Linux Ubuntu_12_04_3_X64
x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
kernel-3.2.0-52-generic x86
and all seems well. (The LinuxUbuntu_12_04_3_X64x64 is for kernel
3.2.0-53-generic)
Now when I run the following with -dd flag for debug I get the following
(Sorry for length of debug msg)
python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from
ELF32Modification
DEBUG : volatility.obj : Applying modification from
ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from
MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from
LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from
LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from
ELF32Modification
DEBUG : volatility.obj : Applying modification from
ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from
MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from
LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from
LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid
Gid DTB Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating
VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x7fe1d90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating
VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace:
Invalid VMware signature: 0xffffffff
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.obj : None object instantiated: Unable to
read_long_long_phys at 0xfffff8104eff0L
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory:
Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace:
Must be first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff070L
DEBUG1 : volatility.obj : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff040L
DEBUG1 : volatility.obj : None object instantiated: No suggestions
available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace:
Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xffffffff
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
selected
IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
The error must have something to do with the way that I'm generating the
profile (at least I think something is off) but I can't for the life of me
figure out what the problem is. I truly appreciate any light that a vol
expert out there may able to shed on what I need to do differently. Thanks
very much.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users