search

teamdfir / sift

SIFT
MIT License
492 stars 65 forks source link

Volatility needs to be update to support newer Linux kernels #305

Closed Resistor52 closed 5 years ago

Resistor52 commented 6 years ago

Ran the following command:

ubuntu@siftworkstation -> ~
$ sudo vol.py --profile=Linux4_14_62-65_117_amzn1_x86_64x64  -f 54.85.216.218-mem.lime  linux_banner
Volatility Foundation Volatility Framework 2.6
Traceback (most recent call last):
  File "/usr/bin/vol.py", line 192, in <module>
    main()
  File "/usr/bin/vol.py", line 183, in main
    command.execute()
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/linux/common.py", line 64, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 216, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 227, in reset
    self.load_vtypes()
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 71, in __init__
    self.feed_line(line)
  File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 162, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 204, in process_statement
    self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'
ubuntu@siftworkstation -> ~

Researching it, I found: https://github.com/volatilityfoundation/volatility/pull/335

Updated SIFT with latest Volatility, and life is good:

ubuntu@siftworkstation -> ~
$ vol.py --profile=Linux4_14_62-65_117_amzn1_x86_64x64  -f 54.85.216.218-mem.lime  linux_banner
Volatility Foundation Volatility Framework 2.6
Linux version 4.14.62-65.117.amzn1.x86_64 (mockbuild@gobi-build-60009) (gcc version 7.2.1 20170915 (Red Hat 7.2.1-2) (GCC)) #1 SMP Fri Aug 10 20:03:52 UTC 2018
ubuntu@siftworkstation -> ~
ekristen commented 6 years ago

There is a newer build available here -- https://launchpad.net/~volatility-builds/+archive/ubuntu/stable

If you have time to take a look and install and let me know if that fixes things I can copy that into the official release of SIFT.

Resistor52 commented 6 years ago

Thanks Erik. I will check it out this weekend. Here is my use case and current work-around: https://github.com/Resistor52/cloud_dfir_demo

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.