A review of the Linux-capable version of volatility doesn't seem to
indicate any option of performing a keyword search of captured memory.
Is this correct?
Also, I don't recall seeing an option in pmem.ko for capturing
virtual/shared memory versus physical memory. Am I missing
My final assignment for a digital forensics class has me exploring the
capabilities of Volatility for memory review of a Linux system.
I have since learned about lime (Linux Memory Extractor) and about
Volatility's own kernel module, pmem.ko, which appears to provide
faster memory capture than lime.
The assignment initially had us visiting volatilityfoundation.org web page
which only had through version 2.1. Additional searching revealed
active work on code.google.com, which also says linux support is part
So, I obtained version 2.2, and am getting very mixed results.
I am using an out-of-box version of Ubuntu 10.04 32-bit with some
updates to bring python up-to-date in a VMware Player 4.0.4 VM.
In my trials thus far, I can get some results from: python ./vol.py
connscan -f /path/to/memory.img
I've pretty much gone through many of the options provided by python
./vol.py -h and usually end up with the error:
"No suitable address space mapping found
Tried to open image as:"
Various google searches, and in reading the volatility page, really
seems to indicate the code is still very Windows-oriented.
Am I missing something? I'd like to get some decent results, if possible.
I also tried an svn update, but that most recent version yielded an
immediate python error on vol.py.
Thanks for any insights.
Hi I am currently using volatility to retrieve truecrypt keys stored in
memory, by accessing a ram dump. Can you please help me out on how to map
the exact location of keys using volatility as i am able to list the
process running while the image was taken, and hence forth i am not able to
narrow down my search criteria , please help me out.
We are writing to announce the public offering of our Windows Memory
Forensics for Analysts training course. This course is taught directly by
Volatility developers, and will provide intense training in memory
forensics for incident response, malware analysis, and digital forensic
investigation. Full details can be found here:
Please write or comment on the post if you have any questions or comments.