Can you xxd and paste the output of the first 16 bytes of your *.img? The "MachOAddressSpace: MachO Header signature invalid" message indicates its not in the expected MachO file format. 


On Sun, Feb 24, 2013 at 10:22 PM, David Kovar <dkovar@gmail.com> wrote:
Greetings,

So close but so far. No clue how they collected the image but that might be the problem.

Praha:Memory Image kovar$ python /usr/local/src/volatility/vol.py --profile=Mac10_7_5_64bitx64 -f *.img mac_psaux 
Volatile Systems Volatility Framework 2.3_alpha
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 AMD64PagedMemory: No base Address Space
 JKIA32PagedMemory: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x7ea6766
 WindowsCrashDumpSpace32: Header signature invalid
 JKIA32PagedMemoryPae: Incompatible profile Mac10_7_5_64bitx64 selected
 AMD64PagedMemory: Failed valid Address Space check
 JKIA32PagedMemory: Incompatible profile Mac10_7_5_64bitx64 selected
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Incompatible profile Mac10_7_5_64bitx64 selected

And without a profile, which I didn't expect to work:

Praha:Memory Image kovar$ python /usr/local/src/volatility/vol.py -f *.img imageinfo 
Volatile Systems Volatility Framework 2.3_alpha
Determining profile based on KDBG search...

          Suggested Profile(s) : No suggestion (Instantiated with Mac10_6_8-32bitx86)
                     AS Layer1 : ArmAddressSpace (Kernel AS)
                     AS Layer2 : FileAddressSpace (/Volumes/<path stuff>/foo.img)
                      PAE type : No PAE
                           DTB : 0x101000
Traceback (most recent call last):
  File "/usr/local/src/volatility/vol.py", line 186, in <module>
    main()
  File "/usr/local/src/volatility/vol.py", line 177, in main
    command.execute()
  File "/usr/local/src/volatility/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/usr/local/src/volatility/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "/usr/local/src/volatility/volatility/plugins/imageinfo.py", line 91, in calculate
    kdbgoffset = volmagic.KDBG.v()
  File "/usr/local/src/volatility/volatility/obj.py", line 735, in __getattr__
    return self.m(attr)
  File "/usr/local/src/volatility/volatility/obj.py", line 717, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct VOLATILITY_MAGIC has no member KDBG


-David

On Feb 24, 2013, at 9:06 PM, David Kovar <dkovar@gmail.com> wrote:

Greetings,

I rebuilt the 10.7.5 profiles. The 32 bit one causes that odd error. The 64 bit one works.

I'm doing this all on a 10.8.x (64 bit) system. Perhaps that is the problem?

-David

bash-3.2# !py
python vol.py --info | grep -i mac
Volatile Systems Volatility Framework 2.3_alpha
MachOAddressSpace       - Address space for mach-o files to support atc-ny memory reader
Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86
Mac10_7_5_64bitx64 - A Profile for Mac 10.7.5.64bit x64
linux_slabinfo          - Mimics /proc/slabinfo on a running machine
mac_arp                 - Prints the arp table
mac_check_syscalls      - Checks to see if system call table ent


On Feb 24, 2013, at 8:45 PM, David Kovar <dkovar@gmail.com> wrote:

Greetings,

That worked:

bash-3.2# python vol.py --info | grep -i  Mac
Volatile Systems Volatility Framework 2.3_alpha
MachOAddressSpace       - Address space for mach-o files to support atc-ny memory reader
Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86
linux_slabinfo          - Mimics /proc/slabinfo on a running machine

And when I left the old zip files in place, the odd error was present.

My first zip file did work with whatever version of volatility I had before I did the update. Recreating it probably doesn't make sense. I'll go build a new set.

Thanks very much for the help!

-David

On Feb 24, 2013, at 6:40 PM, Michael Hale Ligh <michael.hale@gmail.com> wrote:

I've never seen that error before either. 

Try removing all 3 of your zip files from the volatility/plugins/overlays/mac directory and replace them with the one that is attached. 

Then run "vol.py --info | grep Mac" again (I intentionally left off the -i because profiles will start with Mac and plugins will start with mac, and our first objective is to make sure the profile is detected). 

If you see a Mac 10.6.8 profile after doing this, then there's an issue with how you created your 3 profiles. If you still see an error, and no Mac 10.6.8 profile, then the problem is probably related to an environmental / host OS factor, which we can try to determine if it comes to that. 

MHL



On Sun, Feb 24, 2013 at 4:38 PM, David Kovar <dkovar@gmail.com> wrote:
Greetings,

Darned '-i'.

Alas, the profiles still aren't showing up.... Interesting, and new to me, Failed message there.

-David


bash-3.2# !push
pushd volatility/plugins/overlays/mac
/usr/local/src/volatility/volatility/plugins/overlays/mac /usr/local/src/volatility
bash-3.2# pwd
/usr/local/src/volatility/volatility/plugins/overlays/mac
bash-3.2# ls -l
total 2520
drwxr-xr-x  8 root  wheel     272 Feb 24 15:19 .svn
-rw-r--r--  1 root  wheel  217337 Feb 24 15:20 10.7.5.32bit.zip
-rw-r--r--  1 root  wheel  494428 Feb 24 15:20 10.7.5.64bit.zip
-rw-r--r--  1 root  wheel  494428 Feb 24 15:20 10.8.2.64bit.zip
-rw-r--r--  1 root  wheel       0 Feb 24 15:19 __init__.py
-rw-r--r--  1 root  wheel     156 Feb 24 15:20 __init__.pyc
-rw-r--r--  1 root  wheel   34737 Feb 24 15:19 mac.py
-rw-r--r--  1 root  wheel   34533 Feb 24 15:20 mac.pyc
bash-3.2# popd
/usr/local/src/volatility
bash-3.2# !py
python vol.py --info | grep -i  Mac
Volatile Systems Volatility Framework 2.3_alpha
*** Failed to import volatility.plugins.overlays.mac.mac (TypeError: 'NoneType' object is not iterable)
MachOAddressSpace       - Address space for mach-o files to support atc-ny memory reader
linux_slabinfo          - Mimics /proc/slabinfo on a running machine
mac_arp                 - Prints the arp table
mac_check_syscalls      - Checks to see if system call table entries are hooked
mac_check_sysctl        - Checks for unknown sysctl handlers
mac_check_trap_table    - Checks to see if system call table entries are hooked
mac_dmesg               - Prints the kernel debug buffer
mac_dump_maps           - Dumps memory ranges of processes
mac_find_aslr_shift     - Find the ASLR shift value for 10.8+ images
mac_get_processors      - No docs
mac_ifconfig            - Lists network interface information for all devices
mac_ip_filters          - Reports any hooked IP filters
mac_list_sessions       - Enumerates sessions
mac_list_zones          - Prints active zones
mac_ls_logins           - Lists login contexts
mac_lsmod               - Lists loaded kernel modules
mac_lsof                - Lists per-process opened files
mac_machine_info        - Prints machine information about the sample
mac_mount               - Prints mounted device information
mac_netstat             - Lists active per-process network connections
mac_notifiers           - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_pgrp_hash_table     - Walks the process group hash table
mac_pid_hash_table      - Walks the pid hash table
mac_print_boot_cmdline  - Prints kernel boot arguments
mac_proc_maps           - Gets memory maps of processes
mac_psaux               - Prints processes with arguments in userland (**argv)
mac_pslist              - List Running Processes
mac_pstree              - Show parent/child relationship of processes
mac_psxview             - Find hidden processes with various process listings
mac_route               - Prints the routing table
mac_runq                - No docs
mac_task_zone           - Prints active zones
mac_tasks               - List Active Tasks
mac_trustedbsd          - Lists malicious trustedbsd policies
mac_version             - Prints the Mac version
mac_vfs_events          - Lists Mac VFS Events
mac_volshell            - Shell in the memory image

-David

On Feb 24, 2013, at 3:29 PM, Jamie Levy <jamie.levy@gmail.com> wrote:

> The plugins are lower cased:
>
>
>
> On Sun, Feb 24, 2013 at 4:26 PM, David Kovar <dkovar@gmail.com> wrote:
>> Greetings,
>>
>> Thank you for your help, particularly on a Sunday!
>>
>> I'm still running into issues with this for some reason. I checked out a new
>> copy, copied my profiles in,  and then:
>>
>> Sun Feb 24 15:21:49 CST 2013
>> bash-3.2# python vol.py --info | grep Mac
>> Volatile Systems Volatility Framework 2.3_alpha
>> MachOAddressSpace       - Address space for mach-o files to support atc-ny
>> memory reader
>> mac_version             - Prints the Mac version
>> mac_vfs_events          - Lists Mac VFS Events
>> bash-3.2# ls -l volatility/plugins/overlays/mac
>> total 2520
>> drwxr-xr-x  8 root  wheel     272 Feb 24 15:19 .svn
>> -rw-r--r--  1 root  wheel  217337 Feb 24 15:20 10.7.5.32bit.zip
>> -rw-r--r--  1 root  wheel  494428 Feb 24 15:20 10.7.5.64bit.zip
>> -rw-r--r--  1 root  wheel  494428 Feb 24 15:20 10.8.2.64bit.zip
>> -rw-r--r--  1 root  wheel       0 Feb 24 15:19 __init__.py
>> -rw-r--r--  1 root  wheel     156 Feb 24 15:20 __init__.pyc
>> -rw-r--r--  1 root  wheel   34737 Feb 24 15:19 mac.py
>> -rw-r--r--  1 root  wheel   34533 Feb 24 15:20 mac.pyc
>>
>> -David
>>
>> On Feb 24, 2013, at 3:10 PM, Michael Hale Ligh <michael.hale@gmail.com>
>> wrote:
>>
>> David,
>>
>> It is not intentional for volatility.plugins.overlays.mac to be missing from
>> setup.py (it was probably missed when merging the old mac branch into
>> trunk). However, unless you plan on using volatility as a library (i.e.
>> importing it from other Python scripts), you don't need setup.py at all.
>>
>> $ svn checkout https://volatility.googlecode.com/svn/trunk/ volatility
>> $ cd volatility
>> $ cp <PATH TO YOUR PROFILE>/Mac10.6.zip volatility/plugins/overlays/mac
>> $ python vol.py --info | grep Mac
>>
>> Before the 2.3 release, setup.py will be fixed in case you do plan on
>> installing volatility as a library. Also, pre-built Mac profiles for all
>> common OS X kernels will be available at that time, so you won't need to
>> build your own.
>>
>> MHL
>>
>>
>>
>> On Sun, Feb 24, 2013 at 2:42 PM, David Kovar <dkovar@gmail.com> wrote:
>>>
>>> Greetings,
>>>
>>> I was adding OS X support to my copy of Volatility per the instructions on
>>> https://code.google.com/p/volatility/wiki/MacMemoryForensics. It went well
>>> but I thought I'd pull the most recent version while I was at it.
>>>
>>> Mac support went away when I did so. setup.py is now missing:
>>>
>>>                    "volatility.plugins.overlays.mac",
>>>
>>> Even when I add that back, vol.py --info doesn't show the OS X profiles.
>>>
>>> Is this intentional? Is there a different version that I should be using?
>>>
>>> Thanks!
>>>
>>> -David
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users@volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users@volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
>
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


<10.6.8-32bit.zip>