Hi Joe:Thanks very much for your response. Unfortunately I don't have the option to use LIME to go back and capture the memory again. What I have are several .dd files that were created using fmem, e.g., dump00.dd, dump01.dd, and so on.I used cat to combine all the .dd files into one, which now makes sense as having been foolish. Although I did also try the profile against the individual .dd files with the same result.I'll go back and do it again to see what happens.. In the mean time any other suggestions would be truly appreciated.On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve@gmail.com> wrote:"The dump was split into several files which I combined using cat."That's your problem. You took all the System RAM ranges and concatenated them in such a way that volatility has no idea what the ranges were so it's not going to work well for you. Try using LiME instead. https://code.google.com/p/lime-forensics/On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100@gmail.com> wrote:_______________________________________________The error must have something to do with the way that I'm generating the profile (at least I think something is off) but I can't for the life of me figure out what the problem is. I truly appreciate any light that a vol expert out there may able to shed on what I need to do differently. Thanks very much.Now when I run the following with -dd flag for debug I get the following (Sorry for length of debug msg)and all seems well. (The LinuxUbuntu_12_04_3_X64x64 is for kernel 3.2.0-53-generic)Run the requiredI followed the instructions to a T on generating modules.dwarf using the included volatility toolset, copying the Systems.map file, zipping them together, etc.So to create the profile, I've installed a virtual machine running Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic. I have a different processor core on the virtual machine Im using to build the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)Also grep through kern.log for CPU and get:I grepped through /var/log/kern.log to find the kernel version that was running and got this:I don't have access to the physical machine just some snapshot info, and have been trying to gather all the information I need in order to create the proper profile as follows:I've been struggling to create a proper linux profile to analyze a memory dump from an Ubuntu 12.04.3 LTS machine created with fmem. The dump was split into several files which I combined using cat.Dear Vol-users:First and foremost thanks to the creators of volatility for this amazing tool.
Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know to utilize 64-bit architecture.
python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64 - A Profile for Linux 3.2.0-52-genericX_64 x64
Linux4cpuprofilex64 - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86 - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64 - A Profile for Linux Ubuntu_12_04_3_X64 x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux kernel-3.2.0-52-generic x86
python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64: Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: mac: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: lime: need base
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x7fe1d90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace: MachO Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace: Invalid Lime header signature
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: Invalid magic found
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: Invalid VMware signature: 0xffffffff
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.obj : None object instantiated: Unable to read_long_long_phys at 0xfffff8104eff0L
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: Failed valid Address Space check
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must be first Address Space
DEBUG : volatility.utils : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff070L
DEBUG1 : volatility.obj : None object instantiated: Could not read_long_phys at offset 0x3ffffffff040L
DEBUG1 : volatility.obj : None object instantiated: No suggestions available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace: Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xffffffff
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users