Hi,
I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64).
I checked the github repository already and did a google search to no avail.
Does anyone have one already created?
Or can anyone help me figure out how to get around these compilation errors?
include/linux/thread_info.h:24:4: error unknown type name 'u32'
u32 __user *uaddr;
^
There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set.
I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past.
Thanks,
Geoff
BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.
It’s time to start getting ready for the 7th Annual OSDFCon by submitting your presentation idea, writing an Autopsy module, and saving the date on your calendar. OSDFCon is the 1-day event to attend each year to learn about the latest open source digital forensics and incident response tools with over 400 of your colleagues.
THE ESSENTIALS
Conference Date: October 26, 2016
Location: Herndon, VA
CALL FOR PAPERS
Each year, OSDFCon gives developers and users a platform to talk about the open source software they love. We want to hear your presentation and hands-on workshop ideas. Submissions are due by June 1.
Past presentations have covered new software, new features in mature software, modules for plug-in frameworks, and use cases that integrate several pieces of software. A detailed list of topics and submission details can be found here:
http://www.osdfcon.org/osdfcon-2016/2016-call-for-presentations/
AUTOPSY MODULE COMPETITION
For the third year, Basis Technology is organizing an Autopsy module writing competition. The modules can be written in Python or Java and we have tutorials to help you get started. Learning to write Autopsy modules will make you more effecient because Autopsy takes care of providing access to files, user interface, and reporting. All you have to do is focus on some cool analytics.
The winners will be chosen by the OSDFCon attendees and the top three will get cash prizes. If we get 12 or more submissions (the number that the Volatility project got last year), Basis Technology will double the prize amounts. Submissions are due by October 17 (6 months away!). Links to tutorials and submission details can be found here:
http://www.osdfcon.org/osdfcon-2016/2016-module-development-contest/
ABOUT OSDFCON
OSDFCon is the premier event focused exclusively on open source digital forensics tools, OSDFCon offers short talks over the course of a single day. These talks are packed with information and present a unique opportunity to learn about new (often free) tools and provide feedback directly to developers. Basis Technology is the organizing sponsor of the event and it is free for government employees to attend.
To answer my own question...
My profile build system is Debian based. Even though I've successfully created Fedora and CentOS profiles on it, I needed to move to a Fedora system which had the proper definition files in its compiler environment. That got rid of all the 'u32' errors. But because the compiler was gcc 5.1, I needed to create a compiler-gcc5.h file in the include/Linux folder of the kernel files. I just linked to the gcc4 file and everything compiled fine.
All the Linux Volatility commands appear to be working as expected.
Geoff
From: Torres, Geoff (Cyber Security)
Sent: Thursday, April 07, 2016 11:37 AM
To: 'vol-users(a)volatilityfoundation.org' <vol-users(a)volatilityfoundation.org>
Subject: Need a Redhat 7.1 profile
Hi,
I usually roll my own profiles but I'm having a big problem getting one created for RedHat 7.1 (Linux version 3.10.0-229.el17.x86_64).
I checked the github repository already and did a google search to no avail.
Does anyone have one already created?
Or can anyone help me figure out how to get around these compilation errors?
include/linux/thread_info.h:24:4: error unknown type name 'u32'
u32 __user *uaddr;
^
There are hundreds of them. As near as I've been able to determine, all the flags that would set it are 64 bit-centric so it never gets set.
I have the full make output and the kernel RPMs if needed. Oh, and this is the first time I'm creating a profile using Volatility 2.5, but I'm getting the same errors on 2.4 where I've been successful in the past.
Thanks,
Geoff
BTW - I'm a programmer by necessity, not profession. Feel free to point out the obvious.
We are very excited to announce that $999 in cash prizes was just added
to the 2016 plugin contest thanks to Airbnb!
The updated prize pools and full contest information can be found at the
following link:
http://volatility-labs.blogspot.com/2016/04/airbnb-donates-999-to-2016-vola…
--
Thanks,
Andrew (@attrc)
Gang,
I've googled it and saw some other discussion of the dreaded
ERROR : volatility.debug : Invalid profile <blah> selected
error. I'm trying to figure out what changed recently so that profiles
that used to work for me, no longer work. I just did a fresh Ubuntu
14.04.4 install and then installed volatility (and distorm3 via pip) from
github and I'm getting the error above. Note, this is the current release
version, though I also have the problem with the version from whatever
repo SIFT uses. The profile actually came from SecondLook and worked just
fine on a different Ubuntu system about 4 weeks ago, but today it fails
(on the system where it used to run), so I decided to try on this virgin
system and get the same error. I'm at a loss, since there are no other
debugging messages to help me out with what might be the problem. I can
provide the profile to anyone who needs it (and probably a memory image,
too, but that needs to be a little more tightly controlled) if that would
help.
--
Jim Clausing
GIAC GSE #26, CISSP
GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
Ok, can you run:
vol.py --info | grep Linux
and see if the profile name shows up like you have it as --profile?
Thanks,
Andrew (@attrc)
On 04/07/2016 02:26 PM, Jim Clausing wrote:
> -dd doesn't give me anything more than that error.
>
> jac@ubuntu:~$ vol.py -dd --plugins=profiles
> --profile=Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64
> -m XUbuntu\ 64-bit-Snapshot3.vmem linux_pslist
> Volatility Foundation Volatility Framework 2.5
> ERROR : volatility.debug : Invalid profile
> Linux3_13_0_79_generic__123_Ubuntu_SMP_Fri_Feb_19_14_27_58_UTC_2016_x86_64
> selected
>
> --
> Jim Clausing
> GIAC GSE #26, CISSP
> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
>
> On or about Thu, 7 Apr 2016, Andrew Case pontificated thusly:
>
>> Hey,
>>
>> Can you run volatility with -dd set and send the output? If I can't
>> figure out it from there I will take the memory sample and profile. Feel
>> free to send debug output offline.
>>
>> Thanks,
>> Andrew (@attrc)
>>
>> On 04/07/2016 12:27 PM, Jim Clausing wrote:
>>> Gang,
>>> I've googled it and saw some other discussion of the dreaded
>>>
>>> ERROR : volatility.debug : Invalid profile <blah> selected
>>>
>>> error. I'm trying to figure out what changed recently so that profiles
>>> that used to work for me, no longer work. I just did a fresh Ubuntu
>>> 14.04.4 install and then installed volatility (and distorm3 via pip)
>>> from github and I'm getting the error above. Note, this is the current
>>> release version, though I also have the problem with the version from
>>> whatever repo SIFT uses. The profile actually came from SecondLook and
>>> worked just fine on a different Ubuntu system about 4 weeks ago, but
>>> today it fails (on the system where it used to run), so I decided to try
>>> on this virgin system and get the same error. I'm at a loss, since
>>> there are no other debugging messages to help me out with what might be
>>> the problem. I can provide the profile to anyone who needs it (and
>>> probably a memory image, too, but that needs to be a little more tightly
>>> controlled) if that would help.
>>>
>>> --
>>> Jim Clausing
>>> GIAC GSE #26, CISSP
>>> GPG Fingerprint = A507 774A 39D6 A702 9F7C 8808 3D13 77B8 AACD 848D
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
>>
>
We are happy to announce that the 2016 Volatility Plugin Contest is now
live:
http://volatility-labs.blogspot.com/2016/04/the-2016-volatility-plugin-cont…
This contest is modeled after the annual IDA Pro one, and its purpose is
to encourage new research in the memory forensics field. Volatility is
one of the most popular tools in digital forensics, incident response,
and malware analysis, and by submitting to our contest your work will
immediately gain visibility through all of these communities.
Besides this recognition, we also award the top entries over $2,000 in
cash prizes, swag (stickers, t-shirts, etc.), and blog entries on our
Volatility Labs blog.
This contest is a great opportunity to explore the open source
Volatility Framework, add visibility to your career, and potentially
develop a master's thesis or PhD project.
--
Thanks,
Andrew (@attrc)
Sir,
I am doing my M.E in Cyber forensics and Information Security,
currently doing my project work on MAC RAM dump analysis. I am using
volafox-master for listing data from my dump collected from my lap. Can you
please help me how we can find the list of running process. Currently i've
found a symbol that volatility uses("_allproc") also ive found it from
symutils file.
But i don't know what to do with it.
Thanks
in advance, Razeem
Hello,
I am working on a homework assignment that involves IR on a Linux system.
We were only given some of the log files and a memory dump. None of the
profiles on Github work so I need to build a profile. Unfortunately, the
memory dump comes from a very old version of RedHat. It's RedHat 7.2
(Enigma) not RHEL7.
I found the Enigma ISOs, created a VM and downloaded the source, headers,
libdwarf, dwarfdump, etc, installed but when I run make from the
tools/linux folder, it doesn't create the module.ko file that dwarfdump
uses. I ran the make manually and it finishes without any errors but no
module.ko.
Any ideas what I might be doing wrong?
Thanks!
Carlos
Hi,
I'm trying to detect LKM rootkit (https://github.com/ivyl/rootkit) which
hides module and hooks fop.
I use CentOS 6.5 (2.6.32-431.el6.x86_64), LiME 1.7.2 and latest Volatility
git repo (52c9c40a273595ef0b088b75b396c3487cb1b27c) for both memory dump
and analyse.
Many plugin works fine, but it can't be detected by below plugin (same on
Volatility 2.4).
* linux_hidden_modules - nothing is detected
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_hidden_modules
Volatility Foundation Volatility Framework 2.5
Offset (V) Name
------------------ ----
* linux_check_fops - outputs error (no verbose output on --debug option)
$ python vol.py -f mem.img --profile=LinuxCentOS65x64 linux_check_fops
Volatility Foundation Volatility Framework 2.5
ERROR : volatility.debug : You must specify something to do (try -h)
I would really appreciate any advice.
Regards,
