[Vol-users] Volatility issue #383: Linux 'tmpfs' extraction on multiple CPU sytems

Torres, Geoff (Global Cyber Security) geoff.torres at hp.com
Fri May 2 13:38:15 CDT 2014


Hi,

According to Volatility issue #383 'tmpfs' extraction doesn't work because Volatility doesn't support NUMA systems.

Question 1 -      Is it on the roadmap for future versions?

I deal primarily with Multi-CPU cloud systems so this is definitely a desired feature.

Question 2-        Is it reasonably feasible to manually extract tmpfs from a system RAM dump?

Following the 'linux_tmpfs' module through the debugger showed that it was able to locate the /dev/shm tmpfs  file system (replicating 2 levels in my output directory), it just croaked when it came time to retrieve the actual file data.

I figure that if I can manually determine whatever offset it needs then I can set the proper variable in a debug session.

Any thoughts?

Thanks,

Geoff

==============================
Geoff Torres   HP Global Cyber Security

8000 Foothills Blvd.
Roseville, CA. 95747
916-785-3323
==============================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140502/a982ca37/attachment.html


More information about the Vol-users mailing list