[Vol-users] Re: Error in mac_netstat & mac_arp

Andre DiMino adimino at sempersecurus.org
Mon Oct 6 23:06:40 CDT 2014


Anyone using Volatility 2.4 on a Mac memory image seeing anything like this?
*bump*

On Fri, Oct 3, 2014 at 3:57 PM, Andre DiMino <adimino at sempersecurus.org>
wrote:

> I have a .vmem file from a Mac OS virtual machine.  I'm using profile
> "MacMountainLion_10_8_2_AMDx64"
>
> Using Volatility 2.4, I'm able to run a few mac commands against this
> image, however I get traceback errors in the 'netstat' and 'arp' commands.
> I paste below:
> +++++++++++++++++++++++++++++++++++++++++
>
> forensics at saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem
> --profile=MacMountainLion_10_8_2_AMDx64 mac_ifconfig
>
> Volatility Foundation Volatility Framework 2.4
> Interface  Address
> ---------- -------
> lo0        fe80:1::1
> lo0        127.0.0.1
> lo0        ::1
> gif0
> stf0
> en0        00:0c:29:ea:9a:27
> en0        fe80:4::20c:29ff:feea:9a27
> en0        172.16.253.140
> +++++++++++++++++++++++++++++++++++++++++
> forensics at saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem
> --profile=MacMountainLion_10_8_2_AMDx64 mac_version
>
> Volatility Foundation Volatility Framework 2.4
> Darwin Kernel Version 12.2.0: Sat Aug 25 00:48:52 PDT 2012;
> root:xnu-2050.18.24~1/RELEASE_X86_64
> +++++++++++++++++++++++++++++++++++++++++
>
> forensics at saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem
> --profile=MacMountainLion_10_8_2_AMDx64 mac_netstat
>
> Volatility Foundation Volatility Framework 2.4
> Proto  Local IP             Local Port Remote IP            Remote Port
> State                Process
> ------ -------------------- ---------- -------------------- -----------
> -------------------- ------------------------
> UNIX -
> UNIX /var/tmp/launchd/sock
> UNIX -
> UNIX /var/run/com.apple.ActivityMonitor.socket
> UNIX /var/run/mDNSResponder
> UNIX /var/rpc/ncacn_np/lsarpc
> UNIX /var/rpc/ncalrpc/lsarpc
> UNIX /var/rpc/ncacn_np/mdssvc
> UNIX /var/rpc/ncalrpc/NETLOGON
> UNIX /var/rpc/ncacn_np/srvsvc
> UNIX /var/rpc/ncalrpc/srvsvc
> UNIX /var/rpc/ncacn_np/wkssvc
> UNIX /var/rpc/ncalrpc/wkssvc
> Traceback (most recent call last):
>   File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in
> <module>
>     main()
>   File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main
>     command.execute()
>   File
> "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py",
> line 46, in execute
>     commands.Command.execute(self, *args, **kwargs)
>   File "/home/forensics/programs/volatility-2.4/volatility/commands.py",
> line 127, in execute
>     func(outfd, data)
>   File
> "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/netstat.py",
> line 58, in render_text
>     self.table_row(outfd, proto, lip, lport, rip, rport, state,
> "{}/{}".format(proc.p_comm, proc.p_pid))
> ValueError: zero length field name in format
>
> +++++++++++++++++++++++++++++++++++++++++
> forensics at saturn:~/workspace/iworm/memory$ vol -f iworm_run1.vmem
> --profile=MacMountainLion_10_8_2_AMDx64 mac_arp
>
> Volatility Foundation Volatility Framework 2.4
> Source IP                Dest. IP                    Name           Sent
>             Recv                     Time                 Exp.    Delta
> ------------------------ ------------------------ ----------
> ------------------ ------------------ ------------------------------
> ---------- -----
> Traceback (most recent call last):
>   File "/home/forensics/programs/volatility-2.4/vol.py", line 192, in
> <module>
>     main()
>   File "/home/forensics/programs/volatility-2.4/vol.py", line 183, in main
>     command.execute()
>   File
> "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/common.py",
> line 46, in execute
>     commands.Command.execute(self, *args, **kwargs)
>   File "/home/forensics/programs/volatility-2.4/volatility/commands.py",
> line 127, in execute
>     func(outfd, data)
>   File
> "/home/forensics/programs/volatility-2.4/volatility/plugins/mac/route.py",
> line 104, in render_text
>     rt.name,
>   File "/home/forensics/programs/volatility-2.4/volatility/obj.py", line
> 537, in __getattr__
>     return getattr(result, attr)
>   File
> "/home/forensics/programs/volatility-2.4/volatility/plugins/overlays/mac/mac.py",
> line 562, in name
>     return "{}{}".format(self.rt_ifp.if_name.dereference(),
> self.rt_ifp.if_unit)
> ValueError: zero length field name in format
>
> ++++++++++++++++++++++++++++++
>
> Any thoughts or ideas are very appreciated!
>
> --
>
> Andre' M. DiMino
> DeepEnd Research
> http://deependresearch.org
> http://sempersecurus.org
>
> "Make sure that nobody pays back wrong for wrong, but always try to be
> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
>



-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20141007/278ebfca/attachment.html


More information about the Vol-users mailing list