[Vol-users] Volatility issue #383: Linux 'tmpfs' extraction on
multiple CPU sytems
Torres, Geoff (Global Cyber Security)
geoff.torres at hp.com
Fri May 2 13:38:15 CDT 2014
According to Volatility issue #383 'tmpfs' extraction doesn't work because Volatility doesn't support NUMA systems.
Question 1 - Is it on the roadmap for future versions?
I deal primarily with Multi-CPU cloud systems so this is definitely a desired feature.
Question 2- Is it reasonably feasible to manually extract tmpfs from a system RAM dump?
Following the 'linux_tmpfs' module through the debugger showed that it was able to locate the /dev/shm tmpfs file system (replicating 2 levels in my output directory), it just croaked when it came time to retrieve the actual file data.
I figure that if I can manually determine whatever offset it needs then I can set the proper variable in a debug session.
Geoff Torres HP Global Cyber Security
8000 Foothills Blvd.
Roseville, CA. 95747
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users