I have a .vmem file from a Mac OS virtual machine. I'm using profile "MacMountainLion_10_8_2_AMDx64"Using Volatility 2.4, I'm able to run a few mac commands against this image, however I get traceback errors in the 'netstat' and 'arp' commands. I paste below:+++++++++++++++++++++++++++++++++++++++++forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_ifconfigVolatility Foundation Volatility Framework 2.4Interface Address---------- -------lo0 fe80:1::1lo0 127.0.0.1lo0 ::1gif0stf0en0 00:0c:29:ea:9a:27en0 fe80:4::20c:29ff:feea:9a27en0 172.16.253.140+++++++++++++++++++++++++++++++++++++++++forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_versionVolatility Foundation Volatility Framework 2.4Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012; root:xnu-2050.18.24~1/RELEASE_X86_64+++++++++++++++++++++++++++++++++++++++++forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_netstatVolatility Foundation Volatility Framework 2.4Proto Local IP Local Port Remote IP Remote Port State Process------ -------------------- ---------- -------------------- ----------- -------------------- ------------------------UNIX -UNIX /var/tmp/launchd/sockUNIX -UNIX /var/run/com.apple.ActivityMonitor.socketUNIX /var/run/mDNSResponderUNIX /var/rpc/ncacn_np/lsarpcUNIX /var/rpc/ncalrpc/lsarpcUNIX /var/rpc/ncacn_np/mdssvcUNIX /var/rpc/ncalrpc/NETLOGONUNIX /var/rpc/ncacn_np/srvsvcUNIX /var/rpc/ncalrpc/srvsvcUNIX /var/rpc/ncacn_np/wkssvcUNIX /var/rpc/ncalrpc/wkssvcTraceback (most recent call last):File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module>main()File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in maincommand.execute()File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in executecommands.Command.execute(self, *args, **kwargs)File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in executefunc(outfd, data)File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/netstat.py", line 58, in render_textself.table_row(outfd, proto, lip, lport, rip, rport, state, "{}/{}".format(proc.p_comm, proc.p_pid))ValueError: zero length field name in format+++++++++++++++++++++++++++++++++++++++++forensics@saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem --profile=MacMountainLion_10_8_2_AMDx64 mac_arpVolatility Foundation Volatility Framework 2.4Source IP Dest. IP Name Sent Recv Time Exp. Delta------------------------ ------------------------ ---------- ------------------ ------------------ ------------------------------ ---------- -----Traceback (most recent call last):File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in <module>main()File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in maincommand.execute()File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py", line 46, in executecommands.Command.execute(self, *args, **kwargs)File "/home/forensics/programs/volatility-2.4/volatility/commands.py", line 127, in executefunc(outfd, data)File "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/route.py", line 104, in render_textFile "/home/forensics/programs/volatility-2.4/volatility/obj.py", line 537, in __getattr__return getattr(result, attr)File "/home/forensics/programs/volatility-2.4/volatility/plugins/overlays/mac/mac.py", line 562, in namereturn "{}{}".format(self.rt_ifp.if_name.dereference(), self.rt_ifp.if_unit)ValueError: zero length field name in format++++++++++++++++++++++++++++++Any thoughts or ideas are very appreciated!--
Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)