Hi,

 

According to Volatility issue #383 ‘tmpfs’ extraction doesn’t work because Volatility doesn’t support NUMA systems.

 

Question 1 –      Is it on the roadmap for future versions? 

 

I deal primarily with Multi-CPU cloud systems so this is definitely a desired feature.

 

Question 2-        Is it reasonably feasible to manually extract tmpfs from a system RAM dump? 

 

Following the ‘linux_tmpfs’ module through the debugger showed that it was able to locate the /dev/shm tmpfs  file system (replicating 2 levels in my output directory), it just croaked when it came time to retrieve the actual file data.

 

I figure that if I can manually determine whatever offset it needs then I can set the proper variable in a debug session.

 

Any thoughts?

 

Thanks,

 

Geoff

 

==============================

Geoff Torres   HP Global Cyber Security

 

8000 Foothills Blvd.

Roseville, CA. 95747

916-785-3323

==============================