[Vol-users] Arch (Antergos) 4.6.4-1-ARCH profile can't be used

David Renz sun.kisses.horizon at gmail.com
Fri Jul 29 20:22:19 CDT 2016


Hello,

I'm using Antergos with the 4.6.4-1 kernel and after dumping my computer's
memory using lime worked without any problems, I went on creating a profile
for my system according to the instructions on
https://github.com/volatilityfoundation/volatility/wiki/Linux#using-the-profile,
while creating the system.map using "cp /proc/kallsyms
/boot/System.map-4.6.4-1" (because there is no system.map in ArchLinux, as
mentioned on https://github.com/volatilityfoundation/profiles/issues/13).

Unfortunately I experience the same problem as described in the last link,
since volatility gives an error message about this profile saying "***
Failed to import volatility.plugins.overlays.linux.linux (ValueError: too
many values to unpack)".


On the issue thread linked above someone gives the following answer:
"Old issue, but could still be interesting.

This is most likely due to kallsyms giving additional information on
certain lines ([serio] or [kvm] for example), and Volatility on the other
hand only expecting three space separated values:

(str_addr, symbol_type, symbol) = line.strip().split()

That's why before using the output of the kallsyms proc file to build a
profile, some lines must be checked to fit the expected format."

Now this answer doesn't really help me to solve the issue and create a
working profile for my system. Does someone has any idea how I could
proceed in order to do so? As far as I know, nobody was ever able to build
a profile working for Arch, so I think this would be really helpful for
many people.

I uploaded the profile created by myself and the files I used for doing so
on GoogleDrive, in case someone might even be able to create a profile
using those files:
https://drive.google.com/open?id=0B62Y5Qk_rdbWbWlDZ21VUEVrZGc


Many thanks in advance and kind regards

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20160730/f18b72fd/attachment.html


More information about the Vol-users mailing list