[Vol-users] Having issues with linux profile -- please help

Josh Horowitz joshh100 at gmail.com
Mon Sep 8 08:45:41 CDT 2014


What I do have is /dev/mem; kmem; ram, everything in /dev.


Can I potentially get the required info from there or dump the contents of
/dev/mem?

My understanding is that since this is a later kernel version, /dev/mem
provides only limited access.

On Sun, Sep 7, 2014 at 11:14 PM, Josh Horowitz <joshh100 at gmail.com> wrote:

> Unfortunately not, I just have a snapshot of the machine and /proc is
> empty.  I have access to the logs from /var/log, is there any information I
> can use from there to construct the proper profile?
>
> Or any other suggestions perhaps?  I'm thinking of finding the exact
> system build and model number, perhaps somewhere in the user manual or
> specs I can find the required info?
>
> And then once I do, still not entirely sure what needs to be done with
> it..
>
> On Sun, Sep 7, 2014 at 11:03 PM, Joe Sylve <joe.sylve at gmail.com> wrote:
>
>> Do you know the original physical memory ranges?  Can you cat /proc/iomem
>> on the source system (they shouldn't have changed).  If so you can create a
>> padded memory image by concatenating the memory images you have and filling
>> in the gaps in the physical memory ranges with 0s.
>>
>> On Sun, Sep 7, 2014 at 10:00 PM, Josh Horowitz <joshh100 at gmail.com>
>> wrote:
>>
>>> Hi Joe:
>>>
>>> Thanks very much for your response.  Unfortunately I don't have the
>>> option to use LIME to go back and capture the memory again.  What I have
>>> are several .dd files that were created using fmem, e.g., dump00.dd,
>>> dump01.dd, and so on.
>>>
>>> I used cat to combine all the .dd files into one, which now makes sense
>>> as having been foolish.  Although I did also try the profile against the
>>> individual .dd files with the same result.
>>>
>>> I'll go back and do it again to see what happens..  In the mean time any
>>> other suggestions would be truly appreciated.
>>>
>>> On Sun, Sep 7, 2014 at 10:50 PM, Joe Sylve <joe.sylve at gmail.com> wrote:
>>>
>>>> "The dump was split into several files which I combined using cat."
>>>>
>>>> That's your problem.  You took all the System RAM ranges
>>>> and concatenated them in such a way that volatility has no idea what the
>>>> ranges were so it's not going to work well for you. Try using LiME instead.
>>>> https://code.google.com/p/lime-forensics/
>>>>
>>>> On Wed, Sep 3, 2014 at 11:35 AM, Josh Horowitz <joshh100 at gmail.com>
>>>> wrote:
>>>>
>>>>> Dear Vol-users:
>>>>>
>>>>> First and foremost thanks to the creators of volatility for this
>>>>> amazing tool.
>>>>>
>>>>> I've been struggling to create a proper linux profile to analyze a
>>>>> memory dump from an Ubuntu 12.04.3 LTS machine created with fmem.  The dump
>>>>> was split into several files which I combined using cat.
>>>>>
>>>>> I don't have access to the physical machine just some snapshot info,
>>>>> and have been trying to gather all the information I need in order to
>>>>> create the proper profile as follows:
>>>>>
>>>>> I grepped through /var/log/kern.log to find the kernel version that
>>>>> was running and got this:
>>>>>
>>>>> Linux version 3.2.0-53-generic (buildd at allspice) (gcc version 4.6.3
>>>>> (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #81-Ubuntu SMP Thu Aug 22 21:01:03 UTC
>>>>> 2013 (Ubuntu 3.2.0-53.81-generic 3.2.50)
>>>>>
>>>>> Also grep through kern.log for CPU and get:
>>>>>
>>>>> CPU0: Intel(R) Core(TM) i7-2675QM CPU @ 2.20GHz stepping 07 -- which I
>>>>> know to utilize 64-bit architecture.
>>>>>
>>>>>
>>>>> So to create the profile, I've installed a virtual machine running
>>>>> Ubuntu 12.04.3X64 and the identical kernel version: 3.2.0-53-generic.  I
>>>>> have a different processor core on the virtual machine Im using to build
>>>>> the profile (Intel i5-4288U @ 2.60 GHZ, perhaps this is part of the
>>>>> problem?)
>>>>>
>>>>> I followed the instructions to a T on generating modules.dwarf using
>>>>> the included volatility toolset, copying the Systems.map file, zipping them
>>>>> together, etc.
>>>>>
>>>>> Run the required
>>>>>
>>>>> python vol.py --info | grep Linux
>>>>> Volatility Foundation Volatility Framework 2.4
>>>>> Linux3_2_0-52-genericX_64x64    - A Profile for Linux
>>>>> 3.2.0-52-genericX_64 x64
>>>>> Linux4cpuprofilex64             - A Profile for Linux 4cpuprofile x64
>>>>> LinuxUbuntu12_04_3x86           - A Profile for Linux Ubuntu12_04_3 x86
>>>>> LinuxUbuntu_12_04_3_X64x64      - A Profile for Linux
>>>>> Ubuntu_12_04_3_X64 x64
>>>>> Linuxkernel-3_2_0-52-genericx86 - A Profile for Linux
>>>>> kernel-3.2.0-52-generic x86
>>>>>
>>>>> and all seems well.  (The LinuxUbuntu_12_04_3_X64x64 is for kernel
>>>>> 3.2.0-53-generic)
>>>>>
>>>>> Now when I run the following with -dd flag for debug I get the
>>>>> following (Sorry for length of debug msg)
>>>>>
>>>>>  python vol.py -f memdump.dd --profile=LinuxUbuntu_12_04_3_X64x64 -dd
>>>>> linux_pslist
>>>>> Volatility Foundation Volatility Framework 2.4
>>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>>> Found system file System.map-3.2.0-53-generic with 1 symbols
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> BashHashTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> BasicObjectClasses
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> ELF32Modification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> ELF64Modification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> ELFModification
>>>>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxTruecryptModification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> MachoModification
>>>>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> MbrObjectTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> VMwareVTypesModification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> VirtualBoxModification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxIntelOverlay
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxKmemCacheOverlay
>>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>>>>> cache_chain not found in module kernel
>>>>>
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxMountOverlay
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxObjectClasses
>>>>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>>> Found dwarf file System.map-3.2.0-53-generic with 573 symbols
>>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Ubuntu_12_04_3_X64:
>>>>> Found system file System.map-3.2.0-53-generic with 1 symbols
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> BashHashTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from BashTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> BasicObjectClasses
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> ELF32Modification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> ELF64Modification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> ELFModification
>>>>> DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from LimeTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxTruecryptModification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> MachoModification
>>>>> DEBUG   : volatility.obj      : Applying modification from MachoTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> MbrObjectTypes
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> VMwareVTypesModification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> VirtualBoxModification
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxIntelOverlay
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxKmemCacheOverlay
>>>>> DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol
>>>>> cache_chain not found in module kernel
>>>>>
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxMountOverlay
>>>>> DEBUG   : volatility.obj      : Applying modification from
>>>>> LinuxObjectClasses
>>>>> DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
>>>>> Offset             Name                 Pid
>>>>> Uid             Gid    DTB                Start Time
>>>>> ------------------ -------------------- ---------------
>>>>> --------------- ------ ------------------ ----------
>>>>> DEBUG   : volatility.utils    : Voting round
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> MachOAddressSpace: mac: need base
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>>>>> lime: need base
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsHiberFileSpace32: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsCrashDumpSpace64BitMap: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> VMWareMetaAddressSpace: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsCrashDumpSpace64: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>>>>> No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> VirtualBoxCoreDumpElf64: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> VMWareAddressSpace: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf:
>>>>> No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsCrashDumpSpace32: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>>>>> No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> IA32PagedMemoryPae: No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
>>>>> No base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: No
>>>>> base Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>>>>> DEBUG   : volatility.utils    : Succeeded instantiating
>>>>> <volatility.plugins.addrspaces.standard.FileAddressSpace object at
>>>>> 0x7fe1d90>
>>>>> DEBUG   : volatility.utils    : Voting round
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> MachOAddressSpace: MachO Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace:
>>>>> Invalid Lime header signature
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsCrashDumpSpace64BitMap: Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> VMWareMetaAddressSpace: VMware metadata file is not available
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsCrashDumpSpace64: Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace:
>>>>> Invalid magic found
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating QemuCoreDumpElf:
>>>>> ELF Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> WindowsCrashDumpSpace32: Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
>>>>> DEBUG1  : volatility.obj      : None object instantiated: Unable to
>>>>> read_long_long_phys at 0xfffff8104eff0L
>>>>> DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory:
>>>>> Failed valid Address Space check
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating
>>>>> IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory:
>>>>> Incompatible profile LinuxUbuntu_12_04_3_X64x64 selected
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating OSXPmemELF: ELF
>>>>> Header signature invalid
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
>>>>> DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace:
>>>>> Must be first Address Space
>>>>> DEBUG   : volatility.utils    : Trying <class
>>>>> 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
>>>>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>>>>> read_long_phys at offset 0x3ffffffff070L
>>>>> DEBUG1  : volatility.obj      : None object instantiated: Could not
>>>>> read_long_phys at offset 0x3ffffffff040L
>>>>> DEBUG1  : volatility.obj      : None object instantiated: No
>>>>> suggestions available
>>>>> DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace:
>>>>> Failed valid Address Space check
>>>>> No suitable address space mapping found
>>>>> Tried to open image as:
>>>>>  MachOAddressSpace: mac: need base
>>>>>  LimeAddressSpace: lime: need base
>>>>>  WindowsHiberFileSpace32: No base Address Space
>>>>>  WindowsCrashDumpSpace64BitMap: No base Address Space
>>>>>  VMWareMetaAddressSpace: No base Address Space
>>>>>  WindowsCrashDumpSpace64: No base Address Space
>>>>>  HPAKAddressSpace: No base Address Space
>>>>>  VirtualBoxCoreDumpElf64: No base Address Space
>>>>>  VMWareAddressSpace: No base Address Space
>>>>>  QemuCoreDumpElf: No base Address Space
>>>>>  WindowsCrashDumpSpace32: No base Address Space
>>>>>  AMD64PagedMemory: No base Address Space
>>>>>  IA32PagedMemoryPae: No base Address Space
>>>>>  IA32PagedMemory: No base Address Space
>>>>>  OSXPmemELF: No base Address Space
>>>>>  MachOAddressSpace: MachO Header signature invalid
>>>>>  LimeAddressSpace: Invalid Lime header signature
>>>>>  WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
>>>>>  WindowsCrashDumpSpace64BitMap: Header signature invalid
>>>>>  VMWareMetaAddressSpace: VMware metadata file is not available
>>>>>  WindowsCrashDumpSpace64: Header signature invalid
>>>>>  HPAKAddressSpace: Invalid magic found
>>>>>  VirtualBoxCoreDumpElf64: ELF Header signature invalid
>>>>>  VMWareAddressSpace: Invalid VMware signature: 0xffffffff
>>>>>  QemuCoreDumpElf: ELF Header signature invalid
>>>>>  WindowsCrashDumpSpace32: Header signature invalid
>>>>>  AMD64PagedMemory: Failed valid Address Space check
>>>>>  IA32PagedMemoryPae: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>>>>> selected
>>>>>  IA32PagedMemory: Incompatible profile LinuxUbuntu_12_04_3_X64x64
>>>>> selected
>>>>>  OSXPmemELF: ELF Header signature invalid
>>>>>  FileAddressSpace: Must be first Address Space
>>>>>  ArmAddressSpace: Failed valid Address Space check
>>>>>
>>>>>
>>>>> The error must have something to do with the way that I'm generating
>>>>> the profile (at least I think something is off) but I can't for the life of
>>>>> me figure out what the problem is.  I truly appreciate any light that a vol
>>>>> expert out there may able to shed on what I need to do differently.  Thanks
>>>>> very much.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Vol-users mailing list
>>>>> Vol-users at volatilityfoundation.org
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140908/aa666b40/attachment-0001.html


More information about the Vol-users mailing list