[Vol-users] Having issues with linux profile -- please help

Joe Sylve joe.sylve at gmail.com
Sun Sep 7 22:03:01 CDT 2014


Do you know the original physical memory ranges?  Can you cat /proc/iomem
on the source system (they shouldn't have changed).  If so you can create a
padded memory image by concatenating the memory images you have and filling
in the gaps in the physical memory ranges with 0s.

On Sun, Sep 7, 2014 at 10:00 PM, Josh Horowitz <joshh100 at gmail.com> wrote:

> Hi Joe:
>
> Thanks very much for your response.  Unfortunately I don't have the option
> to use LIME to go back and capture the memory again.  What I have are
> several .dd files that were created using fmem, e.g., dump00.dd, dump01.dd,
> and so on.
>
> I used cat to combine all the .dd files into one, which now makes sense as
> having been foolish.  Although I did also try the profile against the
> individual .dd files with the same result.
>
> I'll go back and do it again to see what happens..  In the mean time any
> other suggestions would be truly appreciated.
>
> On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve at gmail.com> wrote:
>
>> "The dump was split into several files which I combined using cat."
>>
>> That's your problem.  You took all the System RAM ranges
>> and concatenated them in such a way that volatility has no idea what the
>> ranges were so it's not going to work well for you. Try using LiME instead.
>> https://code.google.com/p/lime-forensics/
>>
>> On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100 at gmail.com>
>> wrote:
>>
>>> Dear Vol-users:
>>>
>>> First and foremost thanks to the creators of volatility for this amazing
>>> tool.
>>>
>>> I've been struggling to create a proper linux profile to analyze a
>>> memory dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump
>>> was split into several files which I combined using cat.
>>>
>>> I don't have access to the physical machine just some snapshot info, and
>>> have been trying to gather all the information I need in order to create
>>> the proper profile as follows:
>>>
>>> I grepped through /var/log/kern.log to find the kernel version that was
>>> running and got this:
>>>
>>> Linux version 3.2.0-53-generic (buildd at allspice) (gcc version 4.6.3
>>> (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
>>> 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
>>>
>>> Also grep through kern.log for CPU and get:
>>>
>>> CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I
>>> know to utilize 64-bit architecture.
>>>
>>>
>>> So to create the profile, I've installed a virtual machine running
>>> Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I
>>> have a different processor core on the virtual machine Im using to build
>>> the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the
>>> problem?)
>>>
>>> I followed the instructions to a T on generating modules.dwarf using the
>>> included volatility toolset, copying the Systems.map file, zipping them
>>> together, etc.
>>>
>>> Run the required
>>>
>>> python vol.py --info | grep Linux
>>> Volatility Foundation Volatility Framework 2.4
>>> Linux3_2_0-52-genericX_64x64    - A Profile for Linux
>>> 3.2.0-52-genericX_64 x64
>>> Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
>>> LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
>>> LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux Ubuntu_12_04_3_X64
>>> x64
>>> Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
>>> kernel-3.2.0-52-generic x86
>>>
>>> and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel
>>> 3.2.0-53-generic)
>>>
>>> Now when I run the following with -dd flag for debug I get the following
>>> (Sorry for length of debug msg)
>>>
>>>  python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
>>> linux_pslist
>>> Volatility Foundation Volatility Framework 2.4
>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>> Found system file System.map-3.2.0-53-generic with 1 symbols
>>> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
>>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>>> DEBUG   : volatility.obj      : Applying modification from
>>> BasicObjectClasses
>>> DEBUG   : volatility.obj      : Applying modification from
>>> ELF32Modification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> ELF64Modification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> ELFModification
>>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxTruecryptModification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> MachoModification
>>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>>> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
>>> DEBUG   : volatility.obj      : Applying modification from
>>> VMwareVTypesModification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> VirtualBoxModification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxIntelOverlay
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxKmemCacheOverlay
>>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>>> cache_chain not found in module kernel
>>>
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxMountOverlay
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxObjectClasses
>>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>> Found system file System.map-3.2.0-53-generic with 1 symbols
>>> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
>>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>>> DEBUG   : volatility.obj      : Applying modification from
>>> BasicObjectClasses
>>> DEBUG   : volatility.obj      : Applying modification from
>>> ELF32Modification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> ELF64Modification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> ELFModification
>>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxTruecryptModification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> MachoModification
>>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>>> DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
>>> DEBUG   : volatility.obj      : Applying modification from
>>> VMwareVTypesModification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> VirtualBoxModification
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxIntelOverlay
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxKmemCacheOverlay
>>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>>> cache_chain not found in module kernel
>>>
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxMountOverlay
>>> DEBUG   : volatility.obj      : Applying modification from
>>> LinuxObjectClasses
>>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>>> Offset             Name                 Pid             Uid
>>> Gid    DTB                Start Time
>>> ------------------ -------------------- --------------- ---------------
>>> ------ ------------------ ----------
>>> DEBUG   : volatility.utils    : Voting round
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
>>> mac: need base
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>>> lime: need base
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsHiberFileSpace32: No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsCrashDumpSpace64BitMap: No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> VMWareMetaAddressSpace: No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsCrashDumpSpace64: No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>>> No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> VirtualBoxCoreDumpElf64: No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
>>> No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf: No
>>> base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsCrashDumpSpace32: No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>>> No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
>>> No base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No
>>> base Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No base
>>> Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>>> DEBUG   : volatility.utils    : Succeeded instantiating
>>> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
>>> 0x7fe1d90>
>>> DEBUG   : volatility.utils    : Voting round
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
>>> MachO Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>>> Invalid Lime header signature
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsCrashDumpSpace64BitMap: Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> VMWareMetaAddressSpace: VMware metadata file is not available
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsCrashDumpSpace64: Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>>> Invalid magic found
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating VMWareAddressSpace:
>>> Invalid VMware signature: 0xffffffff
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf:
>>> ELF Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>>> DEBUG1  : volatility.utils    : Failed instantiating
>>> WindowsCrashDumpSpace32: Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>>> DEBUG1  : volatility.obj      : None object instantiated: Unable to
>>> read_long_long_phys at 0xfffff8104eff0L
>>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>>> Failed valid Address Space check
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae:
>>> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
>>> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF
>>> Header signature invalid
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>>> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
>>> Must be first Address Space
>>> DEBUG   : volatility.utils    : Trying <class
>>> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
>>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>>> read_long_phys at offset 0x3ffffffff070L
>>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>>> read_long_phys at offset 0x3ffffffff040L
>>> DEBUG1  : volatility.obj      : None object instantiated: No suggestions
>>> available
>>> DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
>>> Failed valid Address Space check
>>> No suitable address space mapping found
>>> Tried to open image as:
>>>  MachOAddressSpace: mac: need base
>>>  LimeAddressSpace: lime: need base
>>>  WindowsHiberFileSpace32: No base Address Space
>>>  WindowsCrashDumpSpace64BitMap: No base Address Space
>>>  VMWareMetaAddressSpace: No base Address Space
>>>  WindowsCrashDumpSpace64: No base Address Space
>>>  HPAKAddressSpace: No base Address Space
>>>  VirtualBoxCoreDumpElf64: No base Address Space
>>>  VMWareAddressSpace: No base Address Space
>>>  QemuCoreDumpElf: No base Address Space
>>>  WindowsCrashDumpSpace32: No base Address Space
>>>  AMD64PagedMemory: No base Address Space
>>>  IA32PagedMemoryPae: No base Address Space
>>>  IA32PagedMemory: No base Address Space
>>>  OSXPmemELF: No base Address Space
>>>  MachOAddressSpace: MachO Header signature invalid
>>>  LimeAddressSpace: Invalid Lime header signature
>>>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>>  WindowsCrashDumpSpace64BitMap: Header signature invalid
>>>  VMWareMetaAddressSpace: VMware metadata file is not available
>>>  WindowsCrashDumpSpace64: Header signature invalid
>>>  HPAKAddressSpace: Invalid magic found
>>>  VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>>  VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>>>  QemuCoreDumpElf: ELF Header signature invalid
>>>  WindowsCrashDumpSpace32: Header signature invalid
>>>  AMD64PagedMemory: Failed valid Address Space check
>>>  IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>>> selected
>>>  IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>>> selected
>>>  OSXPmemELF: ELF Header signature invalid
>>>  FileAddressSpace: Must be first Address Space
>>>  ArmAddressSpace: Failed valid Address Space check
>>>
>>>
>>> The error must have something to do with the way that I'm generating the
>>> profile (at least I think something is off) but I can't for the life of me
>>> figure out what the problem is.  I truly appreciate any light that a vol
>>> expert out there may able to shed on what I need to do differently.  Thanks
>>> very much.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140907/e9ce58ea/attachment-0001.html


More information about the Vol-users mailing list