[Vol-users] Having issues with linux profile -- please help

Josh Horowitz joshh100 at gmail.com
Sun Sep 7 22:14:44 CDT 2014


Unfortunately not, I just have a snapshot of the machine and /proc is
empty.  I have access to the logs from /var/log, is there any information I
can use from there to construct the proper profile?

Or any other suggestions perhaps?  I'm thinking of finding the exact system
build and model number, perhaps somewhere in the user manual or specs I can
find the required info?

And then once I do, still not entirely sure what needs to be done with it..


On Sun, Sep 7, 2014 at 11:03 PM, Joe Sylve <joe.sylve at gmail.com> wrote:

> Do you know the original physical memory ranges?  Can you cat /proc/iomem
> on the source system (they shouldn't have changed).  If so you can create a
> padded memory image by concatenating the memory images you have and filling
> in the gaps in the physical memory ranges with 0s.
>
> On Sun, Sep 7, 2014 at 10:00 PM, Josh Horowitz <joshh100 at gmail.com> wrote:
>
>> Hi Joe:
>>
>> Thanks very much for your response.  Unfortunately I don't have the
>> option to use LIME to go back and capture the memory again.  What I have
>> are several .dd files that were created using fmem, e.g., dump00.dd,
>> dump01.dd, and so on.
>>
>> I used cat to combine all the .dd files into one, which now makes sense
>> as having been foolish.  Although I did also try the profile against the
>> individual .dd files with the same result.
>>
>> I'll go back and do it again to see what happens..  In the mean time any
>> other suggestions would be truly appreciated.
>>
>> On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve at gmail.com> wrote:
>>
>>> "The dump was split into several files which I combined using cat."
>>>
>>> That's your problem.  You took all the System RAM ranges
>>> and concatenated them in such a way that volatility has no idea what the
>>> ranges were so it's not going to work well for you. Try using LiME instead.
>>> https://code.google.com/p/lime-forensics/
>>>
>>> On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100 at gmail.com>
>>> wrote:
>>>
>>>> Dear Vol-users:
>>>>
>>>> First and foremost thanks to the creators of volatility for this
>>>> amazing tool.
>>>>
>>>> I've been struggling to create a proper linux profile to analyze a
>>>> memory dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump
>>>> was split into several files which I combined using cat.
>>>>
>>>> I don't have access to the physical machine just some snapshot info,
>>>> and have been trying to gather all the information I need in order to
>>>> create the proper profile as follows:
>>>>
>>>> I grepped through /var/log/kern.log to find the kernel version that was
>>>> running and got this:
>>>>
>>>> Linux version 3.2.0-53-generic (buildd at allspice) (gcc version 4.6.3
>>>> (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
>>>> 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
>>>>
>>>> Also grep through kern.log for CPU and get:
>>>>
>>>> CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I
>>>> know to utilize 64-bit architecture.
>>>>
>>>>
>>>> So to create the profile, I've installed a virtual machine running
>>>> Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I
>>>> have a different processor core on the virtual machine Im using to build
>>>> the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the
>>>> problem?)
>>>>
>>>> I followed the instructions to a T on generating modules.dwarf using
>>>> the included volatility toolset, copying the Systems.map file, zipping them
>>>> together, etc.
>>>>
>>>> Run the required
>>>>
>>>> python vol.py --info | grep Linux
>>>> Volatility Foundation Volatility Framework 2.4
>>>> Linux3_2_0-52-genericX_64x64    - A Profile for Linux
>>>> 3.2.0-52-genericX_64 x64
>>>> Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
>>>> LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
>>>> LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux
>>>> Ubuntu_12_04_3_X64 x64
>>>> Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
>>>> kernel-3.2.0-52-generic x86
>>>>
>>>> and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel
>>>> 3.2.0-53-generic)
>>>>
>>>> Now when I run the following with -dd flag for debug I get the
>>>> following (Sorry for length of debug msg)
>>>>
>>>>  python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
>>>> linux_pslist
>>>> Volatility Foundation Volatility Framework 2.4
>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>> Found system file System.map-3.2.0-53-generic with 1 symbols
>>>> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
>>>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> BasicObjectClasses
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> ELF32Modification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> ELF64Modification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> ELFModification
>>>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>>>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxTruecryptModification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> MachoModification
>>>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> MbrObjectTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> VMwareVTypesModification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> VirtualBoxModification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxIntelOverlay
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxKmemCacheOverlay
>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>>>> cache_chain not found in module kernel
>>>>
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxMountOverlay
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxObjectClasses
>>>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>> Found system file System.map-3.2.0-53-generic with 1 symbols
>>>> DEBUG   : volatility.obj      : Applying modification from BashHashTypes
>>>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> BasicObjectClasses
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> ELF32Modification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> ELF64Modification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> ELFModification
>>>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>>>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxTruecryptModification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> MachoModification
>>>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> MbrObjectTypes
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> VMwareVTypesModification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> VirtualBoxModification
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxIntelOverlay
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxKmemCacheOverlay
>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>>>> cache_chain not found in module kernel
>>>>
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxMountOverlay
>>>> DEBUG   : volatility.obj      : Applying modification from
>>>> LinuxObjectClasses
>>>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>>>> Offset             Name                 Pid             Uid
>>>> Gid    DTB                Start Time
>>>> ------------------ -------------------- --------------- ---------------
>>>> ------ ------------------ ----------
>>>> DEBUG   : volatility.utils    : Voting round
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
>>>> mac: need base
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>>>> lime: need base
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsHiberFileSpace32: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsCrashDumpSpace64BitMap: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> VMWareMetaAddressSpace: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsCrashDumpSpace64: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>>>> No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> VirtualBoxCoreDumpElf64: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> VMWareAddressSpace: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf:
>>>> No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsCrashDumpSpace32: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>>>> No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> IA32PagedMemoryPae: No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
>>>> No base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No
>>>> base Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>>>> DEBUG   : volatility.utils    : Succeeded instantiating
>>>> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
>>>> 0x7fe1d90>
>>>> DEBUG   : volatility.utils    : Voting round
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace:
>>>> MachO Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>>>> Invalid Lime header signature
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsCrashDumpSpace64BitMap: Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> VMWareMetaAddressSpace: VMware metadata file is not available
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsCrashDumpSpace64: Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>>>> Invalid magic found
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf:
>>>> ELF Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> WindowsCrashDumpSpace32: Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>>>> DEBUG1  : volatility.obj      : None object instantiated: Unable to
>>>> read_long_long_phys at 0xfffff8104eff0L
>>>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>>>> Failed valid Address Space check
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>> IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
>>>> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF
>>>> Header signature invalid
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>>>> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
>>>> Must be first Address Space
>>>> DEBUG   : volatility.utils    : Trying <class
>>>> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
>>>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>>>> read_long_phys at offset 0x3ffffffff070L
>>>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>>>> read_long_phys at offset 0x3ffffffff040L
>>>> DEBUG1  : volatility.obj      : None object instantiated: No
>>>> suggestions available
>>>> DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
>>>> Failed valid Address Space check
>>>> No suitable address space mapping found
>>>> Tried to open image as:
>>>>  MachOAddressSpace: mac: need base
>>>>  LimeAddressSpace: lime: need base
>>>>  WindowsHiberFileSpace32: No base Address Space
>>>>  WindowsCrashDumpSpace64BitMap: No base Address Space
>>>>  VMWareMetaAddressSpace: No base Address Space
>>>>  WindowsCrashDumpSpace64: No base Address Space
>>>>  HPAKAddressSpace: No base Address Space
>>>>  VirtualBoxCoreDumpElf64: No base Address Space
>>>>  VMWareAddressSpace: No base Address Space
>>>>  QemuCoreDumpElf: No base Address Space
>>>>  WindowsCrashDumpSpace32: No base Address Space
>>>>  AMD64PagedMemory: No base Address Space
>>>>  IA32PagedMemoryPae: No base Address Space
>>>>  IA32PagedMemory: No base Address Space
>>>>  OSXPmemELF: No base Address Space
>>>>  MachOAddressSpace: MachO Header signature invalid
>>>>  LimeAddressSpace: Invalid Lime header signature
>>>>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>>>  WindowsCrashDumpSpace64BitMap: Header signature invalid
>>>>  VMWareMetaAddressSpace: VMware metadata file is not available
>>>>  WindowsCrashDumpSpace64: Header signature invalid
>>>>  HPAKAddressSpace: Invalid magic found
>>>>  VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>>>  VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>>>>  QemuCoreDumpElf: ELF Header signature invalid
>>>>  WindowsCrashDumpSpace32: Header signature invalid
>>>>  AMD64PagedMemory: Failed valid Address Space check
>>>>  IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>>>> selected
>>>>  IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>>>> selected
>>>>  OSXPmemELF: ELF Header signature invalid
>>>>  FileAddressSpace: Must be first Address Space
>>>>  ArmAddressSpace: Failed valid Address Space check
>>>>
>>>>
>>>> The error must have something to do with the way that I'm generating
>>>> the profile (at least I think something is off) but I can't for the life of
>>>> me figure out what the problem is.  I truly appreciate any light that a vol
>>>> expert out there may able to shed on what I need to do differently.  Thanks
>>>> very much.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users at volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140907/1a902173/attachment-0001.html


More information about the Vol-users mailing list