2:51 a.m.
Hi,
I am trying to recover tmpfs from a RAM lime dump using volatility
2.4 in Linux/Windows, but I hit the "AttributeError: 'linux_mount'
object has no attribute 'parse_mnt'". Is this a known issue?
Thanks,
Srini
[srini@localhost volatility-2.4]$ python
/home/srini/vola/setup/volatility-2.4/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in
<module>
main()
File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main
command.execute()
File
"/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py",
line 62, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py",
line 127, in execute
func(outfd, data)
File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
line 157, in render_text
for (i, path) in data:
File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
line 148, in calculate
tmpfs_sbs = self.get_tmpfs_sbs()
File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
line 120, in get_tmpfs_sbs
for (sb, _dev_name, path, fstype, _rr, _mnt_string) in
linux_mount.linux_mount(self._config).parse_mnt(mnts):
AttributeError: 'linux_mount' object has no attribute 'parse_mnt'
C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
tandalone>
C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7
x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "<string>", line 192, in <module>
File "<string>", line 183, in main
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c
ommon", line 62, in execute
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line
127, in execute
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
mpfs", line 157, in render_text
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
mpfs", line 148, in calculate
File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
mpfs", line 120, in get_tmpfs_sbs
AttributeError: 'linux_mount' object has no attribute 'parse_mnt'
C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7
x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo
Volatility Foundation Volatility Framework 2.4
Processor Vendor Model
------------ ---------------- -----
0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz
C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
tandalone>
[srini@localhost volatility-2.4]$ python
/home/srini/vola/setup/volatility-2.4/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcent
os7x64 --info | more
Volatility Foundation Volatility Framework 2.4
Profiles
--------
Linuxcentos7x64 - A Profile for Linux centos7 x64
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
[srini@localhost volatility-2.4]$ python
/home/srini/vola/setup/volatility-2.4/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo
Volatility Foundation Volatility Framework 2.4
Processor Vendor Model
------------ ---------------- -----
0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz
[srini@localhost volatility-2.4]$ python
/home/srini/vola/setup/volatility-2.4/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount
Volatility Foundation Volatility Framework 2.4
hugetlbfs /dev/hugepages hugetlbfs rw,relatime
devtmpfs /dev devtmpfs rw,nosuid
tmpfs /dev/shm tmpfs rw,nosuid,nodev
devpts /dev/pts devpts rw,relatime,nosuid,noexec
cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec
tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec
proc /proc proc rw,relatime,nosuid,nodev,noexec
/dev/mapper/centos-root / xfs rw,relatime
tmpfs /run tmpfs rw,nosuid,nodev
sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec
sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime
mqueue /dev/mqueue mqueue rw,relatime
debugfs /sys/kernel/debug debugfs rw,relatime
selinuxfs /sys/fs/selinux selinuxfs rw,relatime
securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec
cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec
pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec
cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec
sunrpc /proc/fs/nfsd nfsd rw,relatime
tmpfs /mnt/ramdisk tmpfs rw,relatime
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec
configfs /sys/kernel/config configfs rw,relatime
cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec
systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime
cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec
cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec
cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec
/dev/sda1 /boot xfs rw,relatime
cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec
cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec
[srini@localhost volatility-2.4]$ python
/home/srini/vola/setup/volatility-2.4/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcent
os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash
Volatility Foundation Volatility Framework 2.4
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure
15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic
15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh
15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/
15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/
15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic
15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 ls
15151 bash 2014-10-12 01:35:58 UTC+0000 make
15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig
15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10