[Vol-users] Having issues with linux profile -- please help

Josh Horowitz joshh100 at gmail.com
Sun Sep 7 22:00:22 CDT 2014


Hi Joe:

Thanks very much for your response.  Unfortunately I don't have the option
to use LIME to go back and capture the memory again.  What I have are
several .dd files that were created using fmem, e.g., dump00.dd, dump01.dd,
and so on.

I used cat to combine all the .dd files into one, which now makes sense as
having been foolish.  Although I did also try the profile against the
individual .dd files with the same result.

I'll go back and do it again to see what happens..  In the mean time any
other suggestions would be truly appreciated.

On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve at gmail.com> wrote:

> "The dump was split into several files which I combined using cat."
>
> That's your problem.  You took all the System RAM ranges
> and concatenated them in such a way that volatility has no idea what the
> ranges were so it's not going to work well for you. Try using LiME instead.
> https://code.google.com/p/lime-forensics/
>
> On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100 at gmail.com> wrote:
>
>> Dear Vol-users:
>>
>> First and foremost thanks to the creators of volatility for this amazing
>> tool.
>>
>> I've been struggling to create a proper linux profile to analyze a memory
>> dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump was
>> split into several files which I combined using cat.
>>
>> I don't have access to the physical machine just some snapshot info, and
>> have been trying to gather all the information I need in order to create
>> the proper profile as follows:
>>
>> I grepped through /var/log/kern.log to find the kernel version that was
>> running and got this:
>>
>> Linux version 3.2.0-53-generic (buildd at allspice) (gcc version 4.6.3
>> (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
>> 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
>>
>> Also grep through kern.log for CPU and get:
>>
>> CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I
>> know to utilize 64-bit architecture.
>>
>>
>> So to create the profile, I've installed a virtual machine running Ubuntu
>> 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I have a
>> different processor core on the virtual machine Im using to build the
>> profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the problem?)
>>
>> I followed the instructions to a T on generating modules.dwarf using the
>> included volatility toolset, copying the Systems.map file, zipping them
>> together, etc.
>>
>> Run the required
>>
>> python vol.py --info | grep Linux
>> Volatility Foundation Volatility Framework 2.4
>> Linux3_2_0-52-genericX_64x64    - A Profile for Linux
>> 3.2.0-52-genericX_64 x64
>> Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
>> LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
>> LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux Ubuntu_12_04_3_X64
>> x64
>> Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
>> kernel-3.2.0-52-generic x86
>>
>> and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel
>> 3.2.0-53-generic)
>>
>> Now when I run the following with -dd flag for debug I get the following
>> (Sorry for length of debug msg)
>>
>>  python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
>> linux_pslist
>> Volatility Foundation Volatility Framework 2.4
>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>> Found system file System.map-3.2.0-53-generic with 1 symbols
>> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>> DEBUG   : volatility.obj      : Applying modification from
>> BasicObjectClasses
>> DEBUG   : volatility.obj      : Applying modification from
>> ELF32Modification
>> DEBUG   : volatility.obj      : Applying modification from
>> ELF64Modification
>> DEBUG   : volatility.obj      : Applying modification from ELFModification
>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxTruecryptModification
>> DEBUG   : volatility.obj      : Applying modification from
>> MachoModification
>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
>> DEBUG   : volatility.obj      : Applying modification from
>> VMwareVTypesModification
>> DEBUG   : volatility.obj      : Applying modification from
>> VirtualBoxModification
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxIntelOverlay
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxKmemCacheOverlay
>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>> cache_chain not found in module kernel
>>
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxMountOverlay
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxObjectClasses
>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>> Found system file System.map-3.2.0-53-generic with 1 symbols
>> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>> DEBUG   : volatility.obj      : Applying modification from
>> BasicObjectClasses
>> DEBUG   : volatility.obj      : Applying modification from
>> ELF32Modification
>> DEBUG   : volatility.obj      : Applying modification from
>> ELF64Modification
>> DEBUG   : volatility.obj      : Applying modification from ELFModification
>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxTruecryptModification
>> DEBUG   : volatility.obj      : Applying modification from
>> MachoModification
>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
>> DEBUG   : volatility.obj      : Applying modification from
>> VMwareVTypesModification
>> DEBUG   : volatility.obj      : Applying modification from
>> VirtualBoxModification
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxIntelOverlay
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxKmemCacheOverlay
>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>> cache_chain not found in module kernel
>>
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxMountOverlay
>> DEBUG   : volatility.obj      : Applying modification from
>> LinuxObjectClasses
>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>> Offset             Name                 Pid             Uid
>> Gid    DTB                Start Time
>> ------------------ -------------------- --------------- ---------------
>> ------ ------------------ ----------
>> DEBUG   : volatility.utils    : Voting round
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
>> mac: need base
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>> lime: need base
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsHiberFileSpace32: No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsCrashDumpSpace64BitMap: No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> VMWareMetaAddressSpace: No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsCrashDumpSpace64: No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No
>> base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> VirtualBoxCoreDumpElf64: No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
>> No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: No
>> base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsCrashDumpSpace32: No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No
>> base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
>> No base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
>> base Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No base
>> Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>> DEBUG   : volatility.utils    : Succeeded instantiating
>> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
>> 0x7fe1d90>
>> DEBUG   : volatility.utils    : Voting round
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
>> MachO Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>> Invalid Lime header signature
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsCrashDumpSpace64BitMap: Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> VMWareMetaAddressSpace: VMware metadata file is not available
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsCrashDumpSpace64: Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>> Invalid magic found
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> VirtualBoxCoreDumpElf64: ELF Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
>> Invalid VMware signature: 0xffffffff
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: ELF
>> Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>> DEBUG1  : volatility.utils    : Failed instantiating
>> WindowsCrashDumpSpace32: Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>> DEBUG1  : volatility.obj      : None object instantiated: Unable to
>> read_long_long_phys at 0xfffff8104eff0L
>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>> Failed valid Address Space check
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
>> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
>> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF
>> Header signature invalid
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
>> Must be first Address Space
>> DEBUG   : volatility.utils    : Trying <class
>> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>> read_long_phys at offset 0x3ffffffff070L
>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>> read_long_phys at offset 0x3ffffffff040L
>> DEBUG1  : volatility.obj      : None object instantiated: No suggestions
>> available
>> DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
>> Failed valid Address Space check
>> No suitable address space mapping found
>> Tried to open image as:
>>  MachOAddressSpace: mac: need base
>>  LimeAddressSpace: lime: need base
>>  WindowsHiberFileSpace32: No base Address Space
>>  WindowsCrashDumpSpace64BitMap: No base Address Space
>>  VMWareMetaAddressSpace: No base Address Space
>>  WindowsCrashDumpSpace64: No base Address Space
>>  HPAKAddressSpace: No base Address Space
>>  VirtualBoxCoreDumpElf64: No base Address Space
>>  VMWareAddressSpace: No base Address Space
>>  QemuCoreDumpElf: No base Address Space
>>  WindowsCrashDumpSpace32: No base Address Space
>>  AMD64PagedMemory: No base Address Space
>>  IA32PagedMemoryPae: No base Address Space
>>  IA32PagedMemory: No base Address Space
>>  OSXPmemELF: No base Address Space
>>  MachOAddressSpace: MachO Header signature invalid
>>  LimeAddressSpace: Invalid Lime header signature
>>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>  WindowsCrashDumpSpace64BitMap: Header signature invalid
>>  VMWareMetaAddressSpace: VMware metadata file is not available
>>  WindowsCrashDumpSpace64: Header signature invalid
>>  HPAKAddressSpace: Invalid magic found
>>  VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>  VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>>  QemuCoreDumpElf: ELF Header signature invalid
>>  WindowsCrashDumpSpace32: Header signature invalid
>>  AMD64PagedMemory: Failed valid Address Space check
>>  IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>> selected
>>  IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>  OSXPmemELF: ELF Header signature invalid
>>  FileAddressSpace: Must be first Address Space
>>  ArmAddressSpace: Failed valid Address Space check
>>
>>
>> The error must have something to do with the way that I'm generating the
>> profile (at least I think something is off) but I can't for the life of me
>> figure out what the problem is.  I truly appreciate any light that a vol
>> expert out there may able to shed on what I need to do differently.  Thanks
>> very much.
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140907/8c4ccdad/attachment-0001.html


More information about the Vol-users mailing list