Hi List,
Running volatility-2.2.standalone.exe on Win7 Pro 64bit AMD with 32GB of
RAM.
I'm new to volatility and I'm attempting to use it to troubleshoot apps
that don't play nice with the Windows clipboard. I'm using the steps
here:
http://www.infosecisland.com/blogview/22429-Detecting-Window-Stations-and-C…
I changed my registry to force a complete memory dump by setting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled
to be 1. (http://support.microsoft.com/kb/969028)
I used System Internal's NotMyFault tool with the /crash switch to
create the dump.
(https://code.google.com/p/volatility/wiki/CrashAddressSpace)
The resulting c:\windows\memory.dmp file is about 34GB in size.
When I launch volatility, this is as far as it gets:
C:\Users\taa\Downloads>volatility-2.2.standalone.exe -f
c:\windows\memory.dmp --profile=Win7SP1x64 wndscan
Volatile Systems Volatility Framework 2.2
It has been showing this for close to 3.75 hours. Task Manager shows two
instances of volatility-2.2.standalone.exe running, one at a constant
1,144K RAM usage, and the other instance with RAM usage constantly
changing in the range of 58MB to 73MB, averaging 13% CPU utilization. To
mean this indicates it is doing /something/ even if it is caught in an
infinite loop.
If it's reasonable for volatility to run this long and longer, I'll just
be patient, though it would be helpful if someone could give me an idea
of how long it might take.
If this is taking too long, what can I do to troubleshoot what it's doing?
Kind regards,
Todd
Hi Guanglin,
thank you for your reply! I'm absolutely newbie, so my questions are probably a bit tedious.
> > Libvmi seems a bit complicated to install, at least compared to the
> > vboxmanage debugvm command. Is libvmi required for KVM or is it possible
> to
> > use virsh dump?
> >
> You should use LibVMI just for "online live" forensics over a virtual
> machine.
>
> If you merely need an offline memory dump of a KVM virtual machine, feel
> free to use virsh dump without LibVMI.
I'm not sure, if I understand the difference. When I run the victim in a VM, I can hit virsh dump in another host terminal window and get a snapshot of the VM at this point in time? When I tried this a little while ago with an Windows 7 x64 SP0 image, it didn't work. So I thought this method is not suitable... The image format respective profile was recognized with imageinfo correctly. The host is CentOS 6.4.
With libvmi I would get continuous updates?
Chris
Hi guys, i'm working on a project to analyze memory dumps of Android devices with Volatility. But it seems that it isn't possible to do so if the source code does not provide me with the System.map file. I can't compile my own System.map file using commands like "make ARCH=arm CROSS_COMPILE=$CCOMPILER" (this would give me inaccurate addresses) nor can i use the /proc/kallsyms (this does not have symbols required for volatility to prepare) file from the Android device itself. I just wanna verify, is it actually still possible for me to use volatility to analyze this memory dump if the System.map file wasn't distributed with the headers/source? Thanks.
Dear all,
sorry, I'm using webmail only and couldn't set an in reply-to header to my last message.
Libvmi seems a bit complicated to install, at least compared to the vboxmanage debugvm command. Is libvmi required for KVM or is it possible to use virsh dump?
Thank you in advance.
- Chris
Hi,I am trying to build a volatility 2.3p profile using a mac os host 10.8.5 and a 4.3 android goldfish guest custom kernel.edited my make file under tools/linux/ to: "obj-m += module.oKDIR := ~/goldfish-ksemulator/ CCPATH := ~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin/DWARFDUMP := /Users/Hanaysha/dwarf/dwarfdump/dwarfdump-include version.mkall: dwarfdwarf: module.c $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR) CONFIG_DEBUG_INFO=y M=$(PWD) modules$(DWARFDUMP) -di module.ko > module.dwarf "I am awarded with the follwing errors :"Hanayshas-MacBook-Pro:linux Hanaysha$ makemake -C ~/goldfish-ksemulator//lib/modules/12.5.0/build CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesmake: *** /Users/Hanaysha/goldfish-ksemulator//lib/modules/12.5.0/build: No such file or directory. Stop.make: *** [dwarf] Error 2Hanayshas-MacBook-Pro:linux Hanaysha$ makemake ARCH=arm CROSS_COMPILE=~/android-ndk/toolchains/arm-linux-androideabi-4.7/prebuilt/darwin-x86_64/bin//arm-linux-androideabi- -C ~/goldfish-ksemulator/ CONFIG_DEBUG_INFO=y M=/Users/Hanaysha/android-volatility/tools/linux modulesBuilding modules, stage 2.MODPOST 1 modulesCC /Users/Hanaysha/android-volatility/tools/linux/module.mod.o/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:8:1: error: variable '__this_module' has initializer but incomplete type/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: error: unknown field 'name' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:9:2: warning: (near initialization for '__this_module') [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: error: unknown field 'arch' specified in initializer/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:10: error: 'MODULE_ARCH_INIT' undeclared here (not in a function)/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: excess elements in struct initializer [enabled by default]/Users/Hanaysha/android-volatility/tools/linux/module.mod.c:10:2: warning: (near initialization for '__this_module') [enabled by default]make[2]: *** [/Users/Hanaysha/android-volatility/tools/linux/module.mod.o] Error 1make[1]: *** [modules] Error 2make: *** [dwarf] Error 2"Any ideas !? your help is appreciated
Hi guys,
I'm trying to find out the addresses of the memory pages of a target
process that are used as stack and heap on Linux.
(Precisely, I would like to have the output which can be seen in
/proc/<pid>/maps for a target process)
Unfortunately, the command linux_proc_maps is not working, I always get
a segmentation fault,
although I tried different kernels as well as Linux setups (Ubuntu) -
it's just not working.
Can anyone tell me a setup (Linux & Kernel) in which the linux_proc_maps
command works?
Or give me a hint how I could figure out these addresses on another way?
Thank you!
Hi everyone,
I ran apihook command in Volatility with the very fast pyvmi address space.
However, I didn't see significant performance improvement in terms of the
total runtime as it still ran for 5 mins - 6 mins.
Although I have got profiling report of apihooks by cProfile and have been
aware that __read_bytes(), the acquisittion of memory content, just
consumed a very small part, which is 7 secs, of the total 5~6 mins, and
that the overhead may be categorized in apihook algorithm, memory
acquisition as well as Python runtime, I can hardly go further in figuring
out which part of the apihook cost the most.
I attach the profiling report here, and hope anyone help analysis.
Thank you so much.
Guanglin
We are working volatility. Firstly we installed python, then its
dependencies i.e. pycrpto, yara, distorm Min gw. After installing all this
to our system, out volatility 2.1 software is not working, or we are not
able to use it. Need help in this regard.
We wrote a blog post today that announced our first two trainings of 2014:
http://volatility-labs.blogspot.com/2013/09/2014-malware-and-memory-forensi…
We will be in San Diego, CA in January as well as London in June. Once
we confirm our other trainings that are currently in the works we will
post them as well. At least one of these trainings will be on the east
coast.
Also, as a reminder, we still have a few spots left in our November
training in Reston, so please contact us ASAP if you would like to
attend.
Thanks,
Andrew (@attrc)
Hi,
what's the preferred virtualization method to create memory dumps? Is it possible to acquire the guest memory without guest modifications? Linux and Windows guests are used.
Regards,
Chris
