search

Stan1989 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Volatility: Cannot determine Profile for Ubuntu 8.04, Kernel 2.6.24-32 #381

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
======= Background Information ==========================================

I am trying to analyze a lime memory dump taken from the Metasploitable Project 
VM, which is running Ubuntu 8.04.

root@metasploitable:~# uname -a

Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 
GNU/Linux

root@metasploitable:~# cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=8.04
DISTRIB_CODENAME=hardy
DISTRIB_DESCRIPTION="Ubuntu 8.04"

+ Reference: 
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/

====== Issue ============================================================

I downloaded volatility-2.2 and I ran the below command to try to determine 
which profile to use.  Unfortunately, Volatility takes between 1 to 2 hours to 
tell me it cannot determine a profile to use.  (May be my lime dump is bad.  
May be Ubuntu 8.04 is out of scope, but I don't think so, because I believe 
Volatility support kernel 2.6.11 and higher.)

root@bt:/forensics/volatility-2.2# python vol.py imageinfo -f 
/var/tmp/memory.lime
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...

     Suggested Profile(s) : No suggestion (Instantiated with no profile)
                     AS Layer1 : LimeAddressSpace (Unnamed AS)
                     AS Layer2 : FileAddressSpace (/var/tmp/memory.lime)
                      PAE type : No PAE

Any help would be greatly appreciated.

Johnny

Original issue reported on code.google.com by johnny.s...@gmail.com on 19 Feb 2013 at 4:30

GoogleCodeExporter commented 9 years ago 
It doesn't appear that you've read the instructions [1] on how to analyze linux 
memory dumps. 

Also, imageinfo is a windows plugin, which is why it shows up in the windows 
command reference [2] and not the linux command reference [3]. It takes hours 
because its searching for windows data structures in a linux memory 
dump...which it understandably never finds. 

I'm going to mark this issue as invalid, but after reading the instructions, if 
you continue to have problems, feel free to re-open. 

[1]. http://code.google.com/p/volatility/wiki/LinuxMemoryForensics
[2]. http://code.google.com/p/volatility/wiki/CommandReference22
[3]. http://code.google.com/p/volatility/wiki/LinuxCommandReference22

Original comment by michael.hale@gmail.com on 19 Feb 2013 at 4:52