Greetings, Thank you for your help, particularly on a Sunday! I'm still running into issues with this for some reason. I checked out a new copy, copied my profiles in, and then: Sun Feb 24 15:21:49 CST 2013 bash-3.2# python vol.py --info | grep Mac Volatile Systems Volatility Framework 2.3_alpha MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader mac_version - Prints the Mac version mac_vfs_events - Lists Mac VFS Events bash-3.2# ls -l volatility/plugins/overlays/mac total 2520 drwxr-xr-x 8 root wheel 272 Feb 24 15:19 .svn -rw-r--r-- 1 root wheel 217337 Feb 24 15:20 10.7.5.32bit.zip -rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.7.5.64bit.zip -rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.8.2.64bit.zip -rw-r--r-- 1 root wheel 0 Feb 24 15:19 __init__.py -rw-r--r-- 1 root wheel 156 Feb 24 15:20 __init__.pyc -rw-r--r-- 1 root wheel 34737 Feb 24 15:19 mac.py -rw-r--r-- 1 root wheel 34533 Feb 24 15:20 mac.pyc -David On Feb 24, 2013, at 3:10 PM, Michael Hale Ligh &lt;michael.hale(a)gmail.com&gt; wrote: David, It is not intentional for volatility.plugins.overlays.mac to be missing from setup.py (it was probably missed when merging the old mac branch into trunk). However, unless you plan on using volatility as a library (i.e. importing it from other Python scripts), you don't need setup.py at all. $ svn checkout https://volatility.googlecode.com/svn/trunk/ volatility $ cd volatility $ cp <PATH TO YOUR PROFILE>/Mac10.6.zip volatility/plugins/overlays/mac $ python vol.py --info | grep Mac Before the 2.3 release, setup.py will be fixed in case you do plan on installing volatility as a library. Also, pre-built Mac profiles for all common OS X kernels will be available at that time, so you won't need to build your own. MHL On Sun, Feb 24, 2013 at 2:42 PM, David Kovar &lt;dkovar(a)gmail.com&gt; wrote: _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Greetings, Darned '-i'. Alas, the profiles still aren't showing up.... Interesting, and new to me, Failed message there. -David bash-3.2# !push pushd volatility/plugins/overlays/mac /usr/local/src/volatility/volatility/plugins/overlays/mac /usr/local/src/volatility bash-3.2# pwd /usr/local/src/volatility/volatility/plugins/overlays/mac bash-3.2# ls -l total 2520 drwxr-xr-x 8 root wheel 272 Feb 24 15:19 .svn -rw-r--r-- 1 root wheel 217337 Feb 24 15:20 10.7.5.32bit.zip -rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.7.5.64bit.zip -rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.8.2.64bit.zip -rw-r--r-- 1 root wheel 0 Feb 24 15:19 __init__.py -rw-r--r-- 1 root wheel 156 Feb 24 15:20 __init__.pyc -rw-r--r-- 1 root wheel 34737 Feb 24 15:19 mac.py -rw-r--r-- 1 root wheel 34533 Feb 24 15:20 mac.pyc bash-3.2# popd /usr/local/src/volatility bash-3.2# !py python vol.py --info | grep -i Mac Volatile Systems Volatility Framework 2.3_alpha *** Failed to import volatility.plugins.overlays.mac.mac (TypeError: 'NoneType' object is not iterable) MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader linux_slabinfo - Mimics /proc/slabinfo on a running machine mac_arp - Prints the arp table mac_check_syscalls - Checks to see if system call table entries are hooked mac_check_sysctl - Checks for unknown sysctl handlers mac_check_trap_table - Checks to see if system call table entries are hooked mac_dmesg - Prints the kernel debug buffer mac_dump_maps - Dumps memory ranges of processes mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images mac_get_processors - No docs mac_ifconfig - Lists network interface information for all devices mac_ip_filters - Reports any hooked IP filters mac_list_sessions - Enumerates sessions mac_list_zones - Prints active zones mac_ls_logins - Lists login contexts mac_lsmod - Lists loaded kernel modules mac_lsof - Lists per-process opened files mac_machine_info - Prints machine information about the sample mac_mount - Prints mounted device information mac_netstat - Lists active per-process network connections mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext) mac_pgrp_hash_table - Walks the process group hash table mac_pid_hash_table - Walks the pid hash table mac_print_boot_cmdline - Prints kernel boot arguments mac_proc_maps - Gets memory maps of processes mac_psaux - Prints processes with arguments in userland (**argv) mac_pslist - List Running Processes mac_pstree - Show parent/child relationship of processes mac_psxview - Find hidden processes with various process listings mac_route - Prints the routing table mac_runq - No docs mac_task_zone - Prints active zones mac_tasks - List Active Tasks mac_trustedbsd - Lists malicious trustedbsd policies mac_version - Prints the Mac version mac_vfs_events - Lists Mac VFS Events mac_volshell - Shell in the memory image -David On Feb 24, 2013, at 3:29 PM, Jamie Levy &lt;jamie.levy(a)gmail.com&gt; wrote: a new atc-ny from instructions on well profiles. using?

Greetings, That worked: bash-3.2# python vol.py --info | grep -i Mac Volatile Systems Volatility Framework 2.3_alpha MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86 linux_slabinfo - Mimics /proc/slabinfo on a running machine And when I left the old zip files in place, the odd error was present. My first zip file did work with whatever version of volatility I had before I did the update. Recreating it probably doesn't make sense. I'll go build a new set. Thanks very much for the help! -David On Feb 24, 2013, at 6:40 PM, Michael Hale Ligh &lt;michael.hale(a)gmail.com&gt; wrote:

Greetings, So close but so far. No clue how they collected the image but that might be the problem. Praha:Memory Image kovar$ python /usr/local/src/volatility/vol.py --profile=Mac10_7_5_64bitx64 -f *.img mac_psaux Volatile Systems Volatility Framework 2.3_alpha No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareSnapshotFile: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemoryPae: No base Address Space AMD64PagedMemory: No base Address Space JKIA32PagedMemory: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF64 Header signature invalid VMWareSnapshotFile: Invalid VMware signature: 0x7ea6766 WindowsCrashDumpSpace32: Header signature invalid JKIA32PagedMemoryPae: Incompatible profile Mac10_7_5_64bitx64 selected AMD64PagedMemory: Failed valid Address Space check JKIA32PagedMemory: Incompatible profile Mac10_7_5_64bitx64 selected IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space ArmAddressSpace: Incompatible profile Mac10_7_5_64bitx64 selected And without a profile, which I didn't expect to work: Praha:Memory Image kovar$ python /usr/local/src/volatility/vol.py -f *.img imageinfo Volatile Systems Volatility Framework 2.3_alpha Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with Mac10_6_8-32bitx86) AS Layer1 : ArmAddressSpace (Kernel AS) AS Layer2 : FileAddressSpace (/Volumes/<path stuff>/foo.img) PAE type : No PAE DTB : 0x101000 Traceback (most recent call last): File "/usr/local/src/volatility/vol.py", line 186, in <module> main() File "/usr/local/src/volatility/vol.py", line 177, in main command.execute() File "/usr/local/src/volatility/volatility/commands.py", line 111, in execute func(outfd, data) File "/usr/local/src/volatility/volatility/plugins/imageinfo.py", line 34, in render_text for k, v in data: File "/usr/local/src/volatility/volatility/plugins/imageinfo.py", line 91, in calculate kdbgoffset = volmagic.KDBG.v() File "/usr/local/src/volatility/volatility/obj.py", line 735, in __getattr__ return self.m(attr) File "/usr/local/src/volatility/volatility/obj.py", line 717, in m raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr)) AttributeError: Struct VOLATILITY_MAGIC has no member KDBG -David On Feb 24, 2013, at 9:06 PM, David Kovar &lt;dkovar(a)gmail.com&gt; wrote: Greetings, I rebuilt the 10.7.5 profiles. The 32 bit one causes that odd error. The 64 bit one works. I'm doing this all on a 10.8.x (64 bit) system. Perhaps that is the problem? -David bash-3.2# !py python vol.py --info | grep -i mac Volatile Systems Volatility Framework 2.3_alpha MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86 Mac10_7_5_64bitx64 - A Profile for Mac 10.7.5.64bit x64 linux_slabinfo - Mimics /proc/slabinfo on a running machine mac_arp - Prints the arp table mac_check_syscalls - Checks to see if system call table ent On Feb 24, 2013, at 8:45 PM, David Kovar &lt;dkovar(a)gmail.com&gt; wrote: Greetings, That worked: bash-3.2# python vol.py --info | grep -i Mac Volatile Systems Volatility Framework 2.3_alpha MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86 linux_slabinfo - Mimics /proc/slabinfo on a running machine And when I left the old zip files in place, the odd error was present. My first zip file did work with whatever version of volatility I had before I did the update. Recreating it probably doesn't make sense. I'll go build a new set. Thanks very much for the help! -David On Feb 24, 2013, at 6:40 PM, Michael Hale Ligh &lt;michael.hale(a)gmail.com&gt; wrote: I've never seen that error before either. Try removing all 3 of your zip files from the volatility/plugins/overlays/mac directory and replace them with the one that is attached. Then run "vol.py --info | grep Mac" again (I intentionally left off the -i because profiles will start with Mac and plugins will start with mac, and our first objective is to make sure the profile is detected). If you see a Mac 10.6.8 profile after doing this, then there's an issue with how you created your 3 profiles. If you still see an error, and no Mac 10.6.8 profile, then the problem is probably related to an environmental / host OS factor, which we can try to determine if it comes to that. MHL On Sun, Feb 24, 2013 at 4:38 PM, David Kovar &lt;dkovar(a)gmail.com&gt; wrote: <10.6.8-32bit.zip>