[Vol-users] Something changed recently and now my Linux profiles don't work

Andrew Case atcuno at gmail.com
Thu Apr 7 15:20:19 CDT 2016


https://github.com/volatilityfoundation/volatility/commit/429a160925b216f04147bbdbac7ff867947da4d0

:)

Thanks,
Andrew (@attrc)

On 04/07/2016 03:13 PM, Jim Clausing wrote:
> Now my feature request, can we get PPID added to the linux_pslist
> output? :-)
> 
> -- 
> Jim Clausing
> GIAC GSE #26, CISSP
> GPG Fingerprint = A507 774A 39D6 A702 9F7C  8808 3D13 77B8 AACD 848D
> 
> On or about Thu, 7 Apr 2016, Jim Clausing pontificated thusly:
> 
>> I guess it really has been a long week.  It turns out that --info will
>> show the profiles if I use --plugins=~user/dir but the profile only
>> actually works if I use --plugins=/home/user/dir  So, I guess problem
>> mostly solved.  User error on my part.  Return to your regularly
>> scheduled programming.  (As I slink away in shame)
>>
>> -- 
>> Jim Clausing
>> GIAC GSE #26, CISSP
>> GPG Fingerprint = A507 774A 39D6 A702 9F7C  8808 3D13 77B8 AACD 848D
>>
>> On or about Thu, 7 Apr 2016, Jim Clausing pontificated thusly:
>>
>>> Sigh... Ignore that last e-mail (although that is all the debug info
>>> I get when it fails and, yes, I know I gave an invalid switch -m
>>> should have been -f).  I redid it copying and pasting the profile
>>> name from the --info listing on the virgin system and it actually
>>> does work, so my next move is to install (from github) the current
>>> version on my actual production system and see if that fixes the
>>> issues.  Maybe the version from the SIFT repos is broken (that is
>>> what was running on the system where I originally had the problem). 
>>> It has been a long week. :-/.
>>>
>>> -- 
>>> Jim Clausing
>>> GIAC GSE #26, CISSP
>>> GPG Fingerprint = A507 774A 39D6 A702 9F7C  8808 3D13 77B8 AACD 848D
>>>
>>> On or about Thu, 7 Apr 2016, Andrew Case pontificated thusly:
>>>
>>>> Hey,
>>>>
>>>> Can you run volatility with -dd set and send the output? If I can't
>>>> figure out it from there I will take the memory sample and profile.
>>>> Feel
>>>> free to send debug output offline.
>>>>
>>>> Thanks,
>>>> Andrew (@attrc)
>>>>
>>>> On 04/07/2016 12:27 PM, Jim Clausing wrote:
>>>>> Gang,
>>>>>     I've googled it and saw some other discussion of the dreaded
>>>>>
>>>>> ERROR   : volatility.debug    : Invalid profile <blah> selected
>>>>>
>>>>> error.  I'm trying to figure out what changed recently so that
>>>>> profiles
>>>>> that used to work for me, no longer work.  I just did a fresh Ubuntu
>>>>> 14.04.4 install and then installed volatility (and distorm3 via pip)
>>>>> from github and I'm getting the error above.  Note, this is the
>>>>> current
>>>>> release version, though I also have the problem with the version from
>>>>> whatever repo SIFT uses.  The profile actually came from SecondLook
>>>>> and
>>>>> worked just fine on a different Ubuntu system about 4 weeks ago, but
>>>>> today it fails (on the system where it used to run), so I decided
>>>>> to try
>>>>> on this virgin system and get the same error.  I'm at a loss, since
>>>>> there are no other debugging messages to help me out with what
>>>>> might be
>>>>> the problem.  I can provide the profile to anyone who needs it (and
>>>>> probably a memory image, too, but that needs to be a little more
>>>>> tightly
>>>>> controlled) if that would help.
>>>>>
>>>>> -- 
>>>>> Jim Clausing
>>>>> GIAC GSE #26, CISSP
>>>>> GPG Fingerprint = A507 774A 39D6 A702 9F7C  8808 3D13 77B8 AACD 848D
>>>>> _______________________________________________
>>>>> Vol-users mailing list
>>>>> Vol-users at volatilityfoundation.org
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>>
>>>>
>>>
>>
> 


More information about the Vol-users mailing list