[Vol-users] Having issues with linux profile -- please help

Josh Horowitz joshh100 at gmail.com
Wed Sep 3 11:35:13 CDT 2014


Dear Vol-users:

First and foremost thanks to the creators of volatility for this amazing
tool.

I've been struggling to create a proper linux profile to analyze a memory
dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump was
split into several files which I combined using cat.

I don't have access to the physical machine just some snapshot info, and
have been trying to gather all the information I need in order to create
the proper profile as follows:

I grepped through /var/log/kern.log to find the kernel version that was
running and got this:

Linux version 3.2.0-53-generic (buildd at allspice) (gcc version 4.6.3
(Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)

Also grep through kern.log for CPU and get:

CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I know
to utilize 64-bit architecture.


So to create the profile, I've installed a virtual machine running Ubuntu
12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I have a
different processor core on the virtual machine Im using to build the
profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)

I followed the instructions to a T on generating modules.dwarf using the
included volatility toolset, copying the Systems.map file, zipping them
together, etc.

Run the required

python vol.py --info | grep Linux
Volatility Foundation Volatility Framework 2.4
Linux3_2_0-52-genericX_64x64    - A Profile for Linux 3.2.0-52-genericX_64
x64
Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux Ubuntu_12_04_3_X64 x64
Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
kernel-3.2.0-52-generic x86

and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel
3.2.0-53-generic)

Now when I run the following with -dd flag for debug I get the following
(Sorry for length of debug msg)

 python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from
BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from
LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found dwarf file System.map-3.2.0-53-generic with 573 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
Found system file System.map-3.2.0-53-generic with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from
BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from
LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from
LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset             Name                 Pid             Uid
Gid    DTB                Start Time
------------------ -------------------- --------------- ---------------
------ ------------------ ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
mac: need base
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
lime: need base
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsHiberFileSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace64BitMap: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating
VMWareMetaAddressSpace: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace64: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating
VirtualBoxCoreDumpElf64: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace32: No base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
base Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No base
Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.utils    : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x7fe1d90>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
MachO Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
Invalid Lime header signature
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace64BitMap: Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating
VMWareMetaAddressSpace: VMware metadata file is not available
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace64: Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
Invalid magic found
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG1  : volatility.utils    : Failed instantiating
VirtualBoxCoreDumpElf64: ELF Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
Invalid VMware signature: 0xffffffff
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: ELF
Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG1  : volatility.utils    : Failed instantiating
WindowsCrashDumpSpace32: Header signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG1  : volatility.obj      : None object instantiated: Unable to
read_long_long_phys at 0xfffff8104eff0L
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
Failed valid Address Space check
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF Header
signature invalid
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must
be first Address Space
DEBUG   : volatility.utils    : Trying <class
'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG1  : volatility.obj      : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff070L
DEBUG1  : volatility.obj      : None object instantiated: Could not
read_long_phys at offset 0x3ffffffff040L
DEBUG1  : volatility.obj      : None object instantiated: No suggestions
available
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
Failed valid Address Space check
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareAddressSpace: No base Address Space
 QemuCoreDumpElf: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0xffffffff
 QemuCoreDumpElf: ELF Header signature invalid
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
selected
 IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check


The error must have something to do with the way that I'm generating the
profile (at least I think something is off) but I can't for the life of me
figure out what the problem is.  I truly appreciate any light that a vol
expert out there may able to shed on what I need to do differently.  Thanks
very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140903/283ce91e/attachment-0001.html


More information about the Vol-users mailing list