I built LiME from the tarball on the project site (not latest svn) and was able to dump memory successfully (type=lime). After many trials and tribulations I was able to get the Volatility profile built for CentOS 5.3x64 (had to remove pmem from the Makefile). I put the profile in the correct directory, and vol.py --info lists it as expected, however when I try to use the profile with the memory image I get an error.
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ vol.py --profile=…
[View More]LinuxCentOS_5_3x64 -f /fun/ir/geriatrix.lime linux_lsmod
Volatile Systems Volatility Framework 2.3_alpha
WARNING : volatility.obj : Overlay structure cpuinfo_x86 not present in vtypes
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
VMWareSnapshotFile: Invalid VMware signature: 0xf000ff53
WindowsCrashDumpSpace32: Header signature invalid
JKIA32PagedMemoryPae: Incompatible profile LinuxCentOS_5_3x64 selected
AMD64PagedMemory: Failed valid Address Space check
JKIA32PagedMemory: Incompatible profile LinuxCentOS_5_3x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Incompatible profile LinuxCentOS_5_3x64 selected
On a hunch I checked the directory I built the profile in (copied headers & source from the target system):
chort@hydra:~/code/profiles-volatility/CentOS_5.3_x64$ grep cpuinfo *
System.map-2.6.18-128.el5:ffffffff8006f328 t show_cpuinfo
System.map-2.6.18-128.el5:ffffffff80103251 t cpuinfo_open
System.map-2.6.18-128.el5:ffffffff8020eadb t show_cpuinfo_max_freq
System.map-2.6.18-128.el5:ffffffff8020eafa t show_cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff8020f759 t show_cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff802f0bc0 D cpuinfo_op
System.map-2.6.18-128.el5:ffffffff80308420 d proc_cpuinfo_operations
System.map-2.6.18-128.el5:ffffffff803319a0 d cpuinfo_cur_freq
System.map-2.6.18-128.el5:ffffffff80331b20 d cpuinfo_min_freq
System.map-2.6.18-128.el5:ffffffff80331b60 d cpuinfo_max_freq
Platform running Volatility (2.3_alpha, latest from svn):
Linux hydra 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Source of memory image:
Linux geriatrix.smtps.net 2.6.18-128.el5 #1 SMP Wed Jan 21 10:41:14 EST 2009 x86_64 x86_64 x86_64 GNU/Linux
What am I missing?
--
chort
[View Less]
I just build a VM with Debian (I needed to install other packages) and when I run this on a memory image I get the following (after about 10 minutes). The pslist.txt file is partially populated though how far it gets differs with each run.
The box is Windows 7 Enterprise SP 1. The image was acquired using FTK. The box is believed to be infected with malware.
user@host:/mnt/hgfs/288A-LV-2810395/Workspace/QJK1/memory# vol.py pslist > pslist.txt
Volatility Foundation Volatility Framework 2.4
…
[View More]Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 192, in <module>
main()
File "/usr/local/bin/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute
func(outfd, data)
File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/taskmods.py", line 178, in render_text
str(task.ExitTime or ''),
File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 219, in table_row
outfd.write(self.tablesep.join(reslist) + "\n")
IOError: [Errno 22] Invalid argument
Thanks for any help.
Sean McLinden
[View Less]
Hi, everybody,
I'm a new comer to volatility framework. At the same time, I am getting to work with libvirt library. I created a dump file named 'vm1_snapshot' by using libvirt command like 'virsh save domain'. In the domain ran the WinXPSP3x86. However, when I used 'python vol.py -f ~/vm1_snapshot --profile=WinXPSP3x86 pslist', the result showed as 'No suitable address space mapping found'. How could this happen? Is there anything wrong with the way the snapshot file was created? I hope …
[View More]some guy can do me a favor.
[View Less]
Testing zeusscan against a known zeus vmem sample, I am getting a
segmentation fault. Other vol commands run and return results properly, and
zeuscan appears to have compiled OK. No errors output except for the
segmentation fault.
Host OS is CentOS Linux 2.6, Volatility is 2.4. Zeus.vmem is WinXPSP2x86
Any ideas on troubleshooting?
Bill
vol-users,
We are excited to announce that over half the seats for the Open Memory
Forensics Workshop (OMFW) 2014 have already been reserved. It’s also
great to see a large number of first time attendees from across
government, academic, and commercial institutions. This is your one
chance a year to hear about the latest research in memory forensics from
the people who are pioneering the field. If you are still planning to
attend, we suggest you register as soon as possible to make …
[View More]sure you have
a seat.
We are also excited to announce that Dr. Brendan Dolan Gavitt (moyix) will
be speaking at the workshop. As many of you know, Brendan has been a
member of the Volatility family since the very beginning and recently
earned his PhD from the Georgia Institute of Technology. If you have
followed Brendan’s work throughout the years and his new research with
PANDA, I’m sure you will not be disappointed.
In the upcoming weeks, we will continue finalizing and announcing the
exciting roster of speakers.
http://volatility.tumblr.com/post/97219909222/omfw-2014-update-dr-brendan-d…
AW
[View Less]
Dear Vol-users:
First and foremost thanks to the creators of volatility for this amazing
tool.
I've been struggling to create a proper linux profile to analyze a memory
dump from an Ubuntu 12.04.3 LTS machine created with fmem. The dump was
split into several files which I combined using cat.
I don't have access to the physical machine just some snapshot info, and
have been trying to gather all the information I need in order to create
the proper profile as follows:
I grepped through /var/…
[View More]log/kern.log to find the kernel version that was
running and got this:
Linux version 3.2.0-53-generic (buildd@allspice) (gcc version 4.6.3
(Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
Also grep through kern.log for CPU and get:
CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know
to utilize 64-bit architecture.
So to create the profile, I've installed a virtual machine running Ubuntu
12.04.3X64 and the identical kernel version: 3.2.0-53-generic. I have a
different processor core on the virtual machine Im using to build the
profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)
I followed the instructions to a T on generating modules.dwarf using the
included volatility toolset, copying the Systems.map file, zipping them
together, etc.
Run the required
python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64 - A Profile for Linux 3.2.0-52-genericX_64
x64
Linux4cpuprofilex64 - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86 - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64 - A Profile for Linux Ubuntu_12_04_3_X64 x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
kernel-3.2.0-52-generic x86
and all seems well. (The LinuxUbuntu_12_04_3_X64x64 is for kernel
3.2.0-53-generic)
Now when I run the following with -dd flag for debug I get the following
(Sorry for length of debug msg)
python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG : volatility.obj : Applying modification from BashHashTypes
DEBUG : volatility.obj : Applying modification from BashTypes
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from ELF32Modification
DEBUG : volatility.obj : Applying modification from ELF64Modification
DEBUG : volatility.obj : Applying modification from ELFModification
DEBUG : volatility.obj : Applying modification from HPAKVTypes
DEBUG : volatility.obj : Applying modification from LimeTypes
DEBUG : volatility.obj : Applying modification from
LinuxTruecryptModification
DEBUG : volatility.obj : Applying modification from MachoModification
DEBUG : volatility.obj : Applying modification from MachoTypes
DEBUG : volatility.obj : Applying modification from MbrObjectTypes
DEBUG : volatility.obj : Applying modification from
VMwareVTypesModification
DEBUG : volatility.obj : Applying modification from
VirtualBoxModification
DEBUG : volatility.obj : Applying modification from LinuxIntelOverlay
DEBUG : volatility.obj : Applying modification from
LinuxKmemCacheOverlay
DEBUG : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel
DEBUG : volatility.obj : Applying modification from LinuxMountOverlay
DEBUG : volatility.obj : Applying modification from
LinuxObjectClasses
DEBUG : volatility.obj : Applying modification from LinuxOverlay
Offset Name Pid Uid
Gid DTB Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
mac: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
lime: need base
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating
VMWareMetaAddressSpace: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: No base
Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x7fe1d90>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating
VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1 : volatility.utils : Failed instantiating
VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating VMWareAddressSpace:
Invalid VMware signature: 0xffffffff
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1 : volatility.utils : Failed instantiating QemuCoreDumpElf: ELF
Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1 : volatility.utils : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1 : volatility.obj : None object instantiated: Unable to
read_long_long_phys at 0xfffff8104eff0L
DEBUG1 : volatility.utils : Failed instantiating AMD64PagedMemory:
Failed valid Address Space check
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemoryPae:
Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1 : volatility.utils : Failed instantiating IA32PagedMemory:
Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1 : volatility.utils : Failed instantiating OSXPmemELF: ELF Header
signature invalid
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1 : volatility.utils : Failed instantiating FileAddressSpace: Must
be first Address Space
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1 : volatility.obj : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff070L
DEBUG1 : volatility.obj : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff040L
DEBUG1 : volatility.obj : None object instantiated: No suggestions
available
DEBUG1 : volatility.utils : Failed instantiating ArmAddressSpace:
Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0xffffffff
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Failed valid Address Space check
IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
selected
IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: Failed valid Address Space check
The error must have something to do with the way that I'm generating the
profile (at least I think something is off) but I can't for the life of me
figure out what the problem is. I truly appreciate any light that a vol
expert out there may able to shed on what I need to do differently. Thanks
very much.
[View Less]
(I definitely have the reply I sent hours ago in my 'Sent Items', but maybe
the Internet ate it. Anyway...)
Just to add to what MHL said, I notice your error concerns fileparam.py
which is odd.
It should be present:
/path/to/volatility$ find -type f -name fileparam.py
./volatility/plugins/fileparam.py
In case MHL's suggestion doesn't fix it, can you find the fileparam.py file?
Where did you get your copy of 2.4 from?
Might be worth grabbing it again from github.
Bridgey
Is zeusscan depreciated in version 2.4?
Volatility Foundation Volatility Framework 2.4
ERROR : volatility.plugins.fileparam: The requested file doesn't exist
As mentioned earlier this week, we have extended the deadline for the 2014
Volatility Plugin Contest until October 1st because an organization wanted
to augment the prizes. We are excited to share that due to an extremely
generous donation from Facebook, the total cash prizes have been doubled
from $2250 USD to $4500 USD!
If you have already submitted to the contest, you can use this extra time
to fine tune your submission or submit another entry to improve your
chances. If you were …
[View More]considering submitting, you now have an extra month
to demonstrate your creativity, become a memory analysis pioneer, win the
admiration of your peers, and give back to the community!
It’s great to see some of the largest companies in the world showing their
support for and giving back to the memory forensics community! Thank you,
Facebook, and good luck to all participants in the contest - the stakes
have literally just doubled!
AAron Walters
The Volatility Foundation
[View Less]