8:46 p.m.
Hi guys,
who can help me to solve Volatility issues for linux(the vm is
windows,it's works).as follow is the operation and running results.
volatility version:2.4
libvmi version:v0.12.0-rc2
*1. kvm vm:*
*--download lime resource code*
root@ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git
root@ubuntu-gxc:/opt# cd LiME
root@ubuntu-gxc:/opt/LiME# git tag
v1.4
root@ubuntu-gxc:/opt/LiME# git checkout -b v1.4
Switched to a new branch 'v1.4'
root@ubuntu-gxc:/opt/LiME# cd src/
root@ubuntu-gxc:/opt/LiME/src# make
make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'
CC [M] /opt/LiME/src/tcp.o
CC [M] /opt/LiME/src/disk.o
CC [M] /opt/LiME/src/main.o
LD [M] /opt/LiME/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /opt/LiME/src/lime.mod.o
LD [M] /opt/LiME/src/lime.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'
strip --strip-unneeded lime.ko
mv lime.ko lime-2.6.32-21-generic.ko
root@ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko
"path=/opt/ubuntu.lime format=lime"
root@ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime
-r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime
*--copy ubuntu.lime to kvm host*
root@ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime root(a)172.19.106.245:
/mnt/sdb1/forensics/images/
*2. kvm Host:*
*--Making the profile*
root@ubuntu:/mnt/sdb1/git/volatility/volatility# zip
volatility/plugins/overlays/linux/ubuntu1004.zip tools/linux/module.dwarf
../../../sysmaps/System.map-2.6.32-21-generic
adding: tools/linux/module.dwarf (deflated 90%)
adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)
*--using the profile*
root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info
|grep Linux
Volatility Foundation Volatility Framework 2.4
Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86
Linuxubuntu1004x86 - A Profile for Linux ubuntu1004 x86
linux_banner - Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image
--using the plugin
root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug -f
/mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86
linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf
file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system
file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found dwarf
file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found system
file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x7505790>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7505750>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
e82c4c4c
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
PyVmiAddressSpace: Location doesn't start with vmi://
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf: ELF
Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linuxubuntu1004x86 selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
PyVmiAddressSpace: Must be first Address Space
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
11:35 a.m.
Just to make sure: Your module.dwarf came from the kernel headers
package of the same system you ran lime on right? I don't see where you
compiled module.dwarf
If so, and it still doesn't work, would it be possible to upload the
sample and profile you created?
Thanks,
Andrew (@attrc)
On 06/11/2015 07:46 PM, Xianchun Guan wrote:
Hi guys,
who can help me to solve Volatility issues for linux(the vm is
windows,it's works).as follow is the operation and running results.
volatility version:2.4
libvmi version:v0.12.0-rc2
*1. kvm vm:*
*--download lime resource code*
root@ubuntu-gxc:/opt# git clone https://github.com/504ensicsLabs/LiME.git
root@ubuntu-gxc:/opt# cd LiME
root@ubuntu-gxc:/opt/LiME# git tag
v1.4
root@ubuntu-gxc:/opt/LiME# git checkout -b v1.4
Switched to a new branch 'v1.4'
root@ubuntu-gxc:/opt/LiME# cd src/
root@ubuntu-gxc:/opt/LiME/src# make
make -C /lib/modules/2.6.32-21-generic/build M=/opt/LiME/src modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-21-generic'
CC [M] /opt/LiME/src/tcp.o
CC [M] /opt/LiME/src/disk.o
CC [M] /opt/LiME/src/main.o
LD [M] /opt/LiME/src/lime.o
Building modules, stage 2.
MODPOST 1 modules
CC /opt/LiME/src/lime.mod.o
LD [M] /opt/LiME/src/lime.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-21-generic'
strip --strip-unneeded lime.ko
mv lime.ko lime-2.6.32-21-generic.ko
root@ubuntu-gxc:/opt/LiME/src# insmod lime-2.6.32-21-generic.ko
"path=/opt/ubuntu.lime format=lime"
root@ubuntu-gxc:/opt/LiME/src# ls -alh /opt/ubuntu.lime
-r--r--r-- 1 root root 1.0G 2015-06-05 14:24 /opt/ubuntu.lime
*--copy ubuntu.lime to kvm host*
root@ubuntu-gxc:/opt/LiME/src# scp /opt/ubuntu.lime
root@172.19.106.245:/mnt/sdb1/forensics/images/
*2. kvm Host:*
*--Making the profile*
root@ubuntu:/mnt/sdb1/git/volatility/volatility# zip
volatility/plugins/overlays/linux/ubuntu1004.zip
tools/linux/module.dwarf ../../../sysmaps/System.map-2.6.32-21-generic
adding: tools/linux/module.dwarf (deflated 90%)
adding: ../../../sysmaps/System.map-2.6.32-21-generic (deflated 74%)
*--using the profile*
root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --info
|grep Linux
Volatility Foundation Volatility Framework 2.4
Linuxubuntu1004i386x86 - A Profile for Linux ubuntu1004i386 x86
Linuxubuntu1004x86 - A Profile for Linux ubuntu1004 x86
linux_banner - Prints the Linux banner information
linux_yarascan - A shell in the Linux memory image
--using the plugin
root@ubuntu:/mnt/sdb1/git/volatility/volatility# python vol.py --debug
-f /mnt/sdb1/forensics/images/ubuntu.lime --profile=Linuxubuntu1004x86linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
dwarf file ../../../sysmaps/System.map-2.6.32-21-generic with 658 symbols
DEBUG : volatility.plugins.overlays.linux.linux: ubuntu1004: Found
system file ../../../sysmaps/System.map-2.6.32-21-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid Gid
DTB Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x7505790>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x7505750>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.pyvmiaddressspace.PyVmiAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value
e82c4c4c
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
PyVmiAddressSpace: Location doesn't start with vmi://
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf:
ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Linuxubuntu1004x86 selected
IA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemory: Failed valid Address Space check
PyVmiAddressSpace: Must be first Address Space
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3425
days inactive
3443
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Andrew Case -
Xianchun Guan