[Vol-users] Having issues with linux profile -- please help

Joe Sylve joe.sylve at gmail.com
Sun Sep 7 21:50:18 CDT 2014


"The dump was split into several files which I combined using cat."

That's your problem.  You took all the System RAM ranges
and concatenated them in such a way that volatility has no idea what the
ranges were so it's not going to work well for you. Try using LiME instead.
https://code.google.com/p/lime-forensics/

On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100 at gmail.com> wrote:

> Dear Vol-users:
>
> First and foremost thanks to the creators of volatility for this amazing
> tool.
>
> I've been struggling to create a proper linux profile to analyze a memory
> dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump was
> split into several files which I combined using cat.
>
> I don't have access to the physical machine just some snapshot info, and
> have been trying to gather all the information I need in order to create
> the proper profile as follows:
>
> I grepped through /var/log/kern.log to find the kernel version that was
> running and got this:
>
> Linux version 3.2.0-53-generic (buildd at allspice) (gcc version 4.6.3
> (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
> 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
>
> Also grep through kern.log for CPU and get:
>
> CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I
> know to utilize 64-bit architecture.
>
>
> So to create the profile, I've installed a virtual machine running Ubuntu
> 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I have a
> different processor core on the virtual machine Im using to build the
> profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)
>
> I followed the instructions to a T on generating modules.dwarf using the
> included volatility toolset, copying the Systems.map file, zipping them
> together, etc.
>
> Run the required
>
> python vol.py --info | grep Linux
> Volatility Foundation Volatility Framework 2.4
> Linux3_2_0-52-genericX_64x64    - A Profile for Linux 3.2.0-52-genericX_64
> x64
> Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
> LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
> LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux Ubuntu_12_04_3_X64
> x64
> Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
> kernel-3.2.0-52-generic x86
>
> and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel
> 3.2.0-53-generic)
>
> Now when I run the following with -dd flag for debug I get the following
> (Sorry for length of debug msg)
>
>  python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
> linux_pslist
> Volatility Foundation Volatility Framework 2.4
> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
> Found system file System.map-3.2.0-53-generic with 1 symbols
> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
> DEBUG   : volatility.obj      : Applying modification from BashTypes
> DEBUG   : volatility.obj      : Applying modification from
> BasicObjectClasses
> DEBUG   : volatility.obj      : Applying modification from
> ELF32Modification
> DEBUG   : volatility.obj      : Applying modification from
> ELF64Modification
> DEBUG   : volatility.obj      : Applying modification from ELFModification
> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
> DEBUG   : volatility.obj      : Applying modification from LimeTypes
> DEBUG   : volatility.obj      : Applying modification from
> LinuxTruecryptModification
> DEBUG   : volatility.obj      : Applying modification from
> MachoModification
> DEBUG   : volatility.obj      : Applying modification from MachoTypes
> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
> DEBUG   : volatility.obj      : Applying modification from
> VMwareVTypesModification
> DEBUG   : volatility.obj      : Applying modification from
> VirtualBoxModification
> DEBUG   : volatility.obj      : Applying modification from
> LinuxIntelOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxKmemCacheOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
> cache_chain not found in module kernel
>
> DEBUG   : volatility.obj      : Applying modification from
> LinuxMountOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxObjectClasses
> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
> Found system file System.map-3.2.0-53-generic with 1 symbols
> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
> DEBUG   : volatility.obj      : Applying modification from BashTypes
> DEBUG   : volatility.obj      : Applying modification from
> BasicObjectClasses
> DEBUG   : volatility.obj      : Applying modification from
> ELF32Modification
> DEBUG   : volatility.obj      : Applying modification from
> ELF64Modification
> DEBUG   : volatility.obj      : Applying modification from ELFModification
> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
> DEBUG   : volatility.obj      : Applying modification from LimeTypes
> DEBUG   : volatility.obj      : Applying modification from
> LinuxTruecryptModification
> DEBUG   : volatility.obj      : Applying modification from
> MachoModification
> DEBUG   : volatility.obj      : Applying modification from MachoTypes
> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
> DEBUG   : volatility.obj      : Applying modification from
> VMwareVTypesModification
> DEBUG   : volatility.obj      : Applying modification from
> VirtualBoxModification
> DEBUG   : volatility.obj      : Applying modification from
> LinuxIntelOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxKmemCacheOverlay
> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
> cache_chain not found in module kernel
>
> DEBUG   : volatility.obj      : Applying modification from
> LinuxMountOverlay
> DEBUG   : volatility.obj      : Applying modification from
> LinuxObjectClasses
> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
> Offset             Name                 Pid             Uid
> Gid    DTB                Start Time
> ------------------ -------------------- --------------- ---------------
> ------ ------------------ ----------
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> mac: need base
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
> lime: need base
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsHiberFileSpace32: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64BitMap: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VMWareMetaAddressSpace: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VirtualBoxCoreDumpElf64: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
> No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace32: No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
> No base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
> base Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No base
> Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG   : volatility.utils    : Succeeded instantiating
> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
> 0x7fe1d90>
> DEBUG   : volatility.utils    : Voting round
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
> MachO Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
> Invalid Lime header signature
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64BitMap: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VMWareMetaAddressSpace: VMware metadata file is not available
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace64: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
> Invalid magic found
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
> DEBUG1  : volatility.utils    : Failed instantiating
> VirtualBoxCoreDumpElf64: ELF Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
> Invalid VMware signature: 0xffffffff
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: ELF
> Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
> DEBUG1  : volatility.utils    : Failed instantiating
> WindowsCrashDumpSpace32: Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
> DEBUG1  : volatility.obj      : None object instantiated: Unable to
> read_long_long_phys at 0xfffff8104eff0L
> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
> Failed valid Address Space check
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF
> Header signature invalid
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
> Must be first Address Space
> DEBUG   : volatility.utils    : Trying <class
> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> DEBUG1  : volatility.obj      : None object instantiated: Could not
> read_long_phys at offset 0x3ffffffff070L
> DEBUG1  : volatility.obj      : None object instantiated: Could not
> read_long_phys at offset 0x3ffffffff040L
> DEBUG1  : volatility.obj      : None object instantiated: No suggestions
> available
> DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
> Failed valid Address Space check
> No suitable address space mapping found
> Tried to open image as:
>  MachOAddressSpace: mac: need base
>  LimeAddressSpace: lime: need base
>  WindowsHiberFileSpace32: No base Address Space
>  WindowsCrashDumpSpace64BitMap: No base Address Space
>  VMWareMetaAddressSpace: No base Address Space
>  WindowsCrashDumpSpace64: No base Address Space
>  HPAKAddressSpace: No base Address Space
>  VirtualBoxCoreDumpElf64: No base Address Space
>  VMWareAddressSpace: No base Address Space
>  QemuCoreDumpElf: No base Address Space
>  WindowsCrashDumpSpace32: No base Address Space
>  AMD64PagedMemory: No base Address Space
>  IA32PagedMemoryPae: No base Address Space
>  IA32PagedMemory: No base Address Space
>  OSXPmemELF: No base Address Space
>  MachOAddressSpace: MachO Header signature invalid
>  LimeAddressSpace: Invalid Lime header signature
>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>  WindowsCrashDumpSpace64BitMap: Header signature invalid
>  VMWareMetaAddressSpace: VMware metadata file is not available
>  WindowsCrashDumpSpace64: Header signature invalid
>  HPAKAddressSpace: Invalid magic found
>  VirtualBoxCoreDumpElf64: ELF Header signature invalid
>  VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>  QemuCoreDumpElf: ELF Header signature invalid
>  WindowsCrashDumpSpace32: Header signature invalid
>  AMD64PagedMemory: Failed valid Address Space check
>  IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
> selected
>  IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>  OSXPmemELF: ELF Header signature invalid
>  FileAddressSpace: Must be first Address Space
>  ArmAddressSpace: Failed valid Address Space check
>
>
> The error must have something to do with the way that I'm generating the
> profile (at least I think something is off) but I can't for the life of me
> figure out what the problem is.  I truly appreciate any light that a vol
> expert out there may able to shed on what I need to do differently.  Thanks
> very much.
>
>
>
>
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140907/6d3a7cb7/attachment-0001.html


More information about the Vol-users mailing list