11:51 a.m.
So was the fix just to switch to lime format or did you also need the
patch? This will help us keep better documentation for future bug reports.
Also, is there a reason you need the raw sample? If you are looking for
a sample without any metadata, the best version would be 'padded' since
it zero fills the offsets between RAM sections, but note that you can
get a HUGE file, especially on 64 bit systems.
The raw version of LiME simply concatantes regions together (does not
pad), which make offsets found from virtual address translation off.
This is why Volatility (and other tools) cannot process most raw Lime dumps.
On 2/6/2014 10:45 AM, Torres, Geoff (Global Cyber Security) wrote:
OK, we're making progress...
Michael Ligh also suggested that article. I had dismissed it as not applicable because
it was regarding CentOS 5.3 and the earliest I've been attempting is 5.8. My
apologies for not trying it sooner.
It did work for the Lime format, but not the Raw format which is ultimately what I need.
Would different offsets work for the raw format? Is it possible to convert a raw format
image into Lime format?
Also, does this mean that I need different volatility code for different kernels?
My role is to perform forensic analysis on compromised systems. I can conceivably get
any type of system and I get them in large enough volume that I've been developing
scripts to automate these sort of tasks.
Thanks for all your help so far,
Geoff
-----Original Message-----
From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Thursday, February 06, 2014 7:32 AM
To: Torres, Geoff (Global Cyber Security); 'vol-users(a)volatilityfoundation.org'
Subject: Re: [Vol-users] Difficulty creating CentOS profiles
Hello,
I believe you are having the same issues that we diagnosed here:
http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000…
Could you please edit your code as MHL explains to account for the shift? It only
requires two small changes to the existing code. Note that the line numbers may be
different since the code has been update since then but if you search for the
0xffffffff80000000 number in each file you will be able to find it.
Also we would recommend acquiring in the lime format "format=lime"
instead of acquiring in the raw one.
Let me know how it goes.
Thanks,
Andrew (@attrc)
On 2/5/2014 5:26 PM, Torres, Geoff (Global Cyber Security) wrote:
Hi,
I've been unable to create a working Linux profile for any version of
CentOS. It compiles fine but gives a 'No suitable address space
mapping found' error when ran against the memory image.
I've been successful creating various Debian and Ubuntu profiles, but
CentOS has yet to work. I'm sure it's something simple but I can't
figure it out. I'm certain that I'm matching kernel versions
correctly and that the build process is the same as I use for the Ubuntu versions.
I've attached the details of my most recent attempt. It's a vanilla
CentOS 5.10 install on VmWare. The memory image is available (250Mb
zip) if necessary.
Any ideas? None of the solutions I found in Google seem to address my
issue.
Thanks,
Geoff
BTW - I'm not a kernel programmer so please be detailed if there's
something you'd like me to try.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:14 p.m.
New subject: Difficulty creating CentOS profiles
It was the patch that fixed it. I had already tried using the Lime format prior to the
patch.
I needed the 'raw' format because that's what I understood the cloud instances
to be. But Andrew Tappert explained to me that cloud memory 'raw' format is
actually more like the 'lime' format. Based on that I went ahead and tried the
patched code against a CentOS cloud instance 'raw' image and it was successful.
However, I also ran it against a previously successfully analyzed Ubuntu image and it now
fails. I guess my earlier question about needing 2 different code bases has been
answered. :-( I can work around that, but please consider this my official request to
have this resolved in a future version of Volatility. :-)
Thank you all for your quick and very helpful responses.
Geoff
-----Original Message-----
From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Thursday, February 06, 2014 8:52 AM
To: Torres, Geoff (Global Cyber Security)
Cc: 'vol-users(a)volatilityfoundation.org'
Subject: Re: [Vol-users] Difficulty creating CentOS profiles
So was the fix just to switch to lime format or did you also need the patch? This will
help us keep better documentation for future bug reports.
Also, is there a reason you need the raw sample? If you are looking for a sample without
any metadata, the best version would be 'padded' since it zero fills the offsets
between RAM sections, but note that you can get a HUGE file, especially on 64 bit
systems.
The raw version of LiME simply concatantes regions together (does not pad), which make
offsets found from virtual address translation off.
This is why Volatility (and other tools) cannot process most raw Lime dumps.
On 2/6/2014 10:45 AM, Torres, Geoff (Global Cyber Security) wrote:
OK, we're making progress...
Michael Ligh also suggested that article. I had dismissed it as not applicable because
it was regarding CentOS 5.3 and the earliest I've been attempting is 5.8. My
apologies for not trying it sooner.
It did work for the Lime format, but not the Raw format which is ultimately what I need.
Would different offsets work for the raw format? Is it possible to convert a raw format
image into Lime format?
Also, does this mean that I need different volatility code for different kernels?
My role is to perform forensic analysis on compromised systems. I can conceivably get
any type of system and I get them in large enough volume that I've been developing
scripts to automate these sort of tasks.
Thanks for all your help so far,
Geoff
-----Original Message-----
From: Andrew Case [mailto:atcuno@gmail.com]
Sent: Thursday, February 06, 2014 7:32 AM
To: Torres, Geoff (Global Cyber Security); 'vol-users(a)volatilityfoundation.org'
Subject: Re: [Vol-users] Difficulty creating CentOS profiles
Hello,
I believe you are having the same issues that we diagnosed here:
http://lists.volatilityfoundation.org/pipermail/vol-users/2013-February/000
742.html
Could you please edit your code as MHL explains to account for the shift? It only
requires two small changes to the existing code. Note that the line numbers may be
different since the code has been update since then but if you search for the
0xffffffff80000000 number in each file you will be able to find it.
Also we would recommend acquiring in the lime format "format=lime"
instead of acquiring in the raw one.
Let me know how it goes.
Thanks,
Andrew (@attrc)
On 2/5/2014 5:26 PM, Torres, Geoff (Global Cyber Security) wrote:
Hi,
I've been unable to create a working Linux profile for any version of
CentOS. It compiles fine but gives a 'No suitable address space
mapping found' error when ran against the memory image.
I've been successful creating various Debian and Ubuntu profiles, but
CentOS has yet to work. I'm sure it's something simple but I can't
figure it out. I'm certain that I'm matching kernel versions
correctly and that the build process is the same as I use for the Ubuntu versions.
I've attached the details of my most recent attempt. It's a vanilla
CentOS 5.10 install on VmWare. The memory image is available (250Mb
zip) if necessary.
Any ideas? None of the solutions I found in Google seem to address
my issue.
Thanks,
Geoff
BTW - I'm not a kernel programmer so please be detailed if there's
something you'd like me to try.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3934
days inactive
3934
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Andrew Case -
Torres, Geoff (Global Cyber Security)