Requested symbol cache_chain not found in module kernel --- invalid pde_value

[GoogleCodeExporter]

Environment = Ubuntu 10.04.4 LTS 64-bit
Kernel Source = Samsung GT-I9300
Android Toolchain = arm-linux-androideabi-4.4.3
Lime = 1.1-r17
Volatility = Volatility Framework 2.3_beta

kernel source compiles with no errors (produces System.map)
Lime compiles with no errors (produces lime.ko)
Lime.ko dumps memory with no errors on Android device (dump.lime)
Volatility profile compiles with no errors (--info | grep linux shows profile)

when i try and do a python vol.py --profile=MY_PROFILE -f MY_DUMP_FILE 
linux_pslist
i get the following debug error dump:

Volatile Systems Volatility Framework 2.3_beta
DEBUG   : volatility.plugins.overlays.linux.linux: gti9300: Found dwarf file 
home/user/GT-I9300_JB_Opensource_Update11/Kernel/System.map with 463 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: gti9300: Found system file 
home/user/GT-I9300_JB_Opensource_Update11/Kernel/System.map with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain 
not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x5286b50>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x3FF00020, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x5286b10>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x66262564
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile Linuxgti9300ARM selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Failed 
valid Address Space check
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.arm.ArmAddressSpace object at 0x5286e50>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x00000000, instantiating HPAK_HEADER
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x00000000, instantiating _VMWARE_HEADER
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: -
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
WARNING : volatility.plugins.addrspaces.arm: get_pte: invalid pde_value 66262564
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile Linuxgti9300ARM selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Can 
not stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Can not 
stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating ArmAddressSpace: Can not 
stack over another paging address space
DEBUG1  : volatility.obj      : None object instantiated: Pointer next invalid
Offset     Name                 Pid             Uid             Gid    DTB      
  Start Time
---------- -------------------- --------------- --------------- ------ 
---------- ----------

Original issue reported on code.google.com by mariosca...@gmail.com on 3 Sep 2013 at 1:37

[GoogleCodeExporter]

Original comment by jamie.l...@gmail.com on 12 Sep 2013 at 12:27

[GoogleCodeExporter]

Hello,

Did you compile from the same sources as the kernel on the phone and using the 
.config file that is either distributed with the kernel from the phone's 
manufactuere or from /proc/config.gz?

Original comment by atc...@gmail.com on 18 Sep 2013 at 3:03

[GoogleCodeExporter]

Hello,

Yes, i used the .config that was compiled from the phone manufacturer's kernel 
that matched my device.  The .config was created by doing "make ARCH=ARM 
m0_00_defconfig" in the kernel source directory.  

Original comment by mariosca...@gmail.com on 20 Sep 2013 at 5:30

[GoogleCodeExporter]

Hello,

Are you still have trouble with this issue? If so, could you please list how 
your profile was created, including where the System.map file came from?

Thanks

Original comment by atc...@gmail.com on 7 Oct 2013 at 7:13

[GoogleCodeExporter]

I'm going to close this issue due to lack of detail required to move forward 
with investigating the bug. Feel free to re-open the issue if you decide to 
pursue, or as always, discuss it on the Vol-Users mailing list. 

Original comment by michael.hale@gmail.com on 25 Oct 2013 at 12:28

• Changed state: Done

[GoogleCodeExporter]

Hello,

I apologize for letting so much time lapse on this thread.  In reference to the 
question of how my profile was created, including my system.map:

I followed the instructions here to create the plugin 
https://code.google.com/p/volatility/wiki/AndroidMemoryForensics
combined (zipped) my module.dwarf and system.map into the  
../volatility/plugins/overlays/linux/ directory

My system.map was created when I ran "make ARCH=ARM m0_00_defconfig" in the 
kernel directory

Please let me know if you have any further questions.  I will try and respond 
quicker in the future.  

thank you.  

Original comment by mariosca...@gmail.com on 5 Nov 2013 at 8:48

[GoogleCodeExporter]

I am getting exact same issue. 

Following are the logs : 

Volatility Foundation Volatility Framework 2.3.1
DEBUG   : volatility.plugins.overlays.linux.linux: profile: Found dwarf file 
../../../kallsyms with 446 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: profile: Found system file 
../../../kallsyms with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain 
not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: profile: Found dwarf file 
../../../kallsyms with 446 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: profile: Found system file 
../../../kallsyms with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain 
not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
Offset     Name                 Pid             Uid             Gid    DTB      
  Start Time
---------- -------------------- --------------- --------------- ------ 
---------- ----------
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x103511890>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x18D5B060, instantiating lime_header
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x103511850>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
PO_MEMORY_IMAGE is not available in profile
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: 
Incompatible profile LinuxprofileARM selected
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol 
swapper_pg_dir not found in module kernel

DEBUG   : volatility.utils    : Failed instantiating (exception): unsupported 
operand type(s) for -: 'NoneType' and 'int'
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol 
swapper_pg_dir not found in module kernel

DEBUG   : volatility.utils    : Failed instantiating (exception): unsupported 
operand type(s) for -: 'NoneType' and 'int'
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol 
swapper_pg_dir not found in module kernel

DEBUG   : volatility.utils    : Failed instantiating (exception): unsupported 
operand type(s) for -: 'NoneType' and 'int'
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Incompatible profile LinuxprofileARM selected
 IA32PagedMemoryPae - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int'
 IA32PagedMemory - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int'
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace - EXCEPTION: unsupported operand type(s) for -: 'NoneType' and 'int'

Can you help please?

Original comment by gauravpr...@gmail.com on 17 Nov 2014 at 6:56

[GoogleCodeExporter]

We have moved to github and are now on version 2.4, not 2.3.1.  Please update 
to 2.4 and see if you still have this problem.

https://github.com/volatilityfoundation/volatility

Original comment by jamie.l...@gmail.com on 17 Nov 2014 at 7:11

[GoogleCodeExporter]

Done. Thanks for such a quick response. 

but I am still getting 
*** Failed to import volatility.plugins.overlays.linux.linux (ValueError: too 
many values to unpack)

this error

Original comment by gauravpr...@gmail.com on 17 Nov 2014 at 7:31

[GoogleCodeExporter]

type:

make clean

then retry

Original comment by jamie.l...@gmail.com on 17 Nov 2014 at 8:14

[GoogleCodeExporter]

not working ..

Original comment by gauravpr...@gmail.com on 17 Nov 2014 at 8:26

[GoogleCodeExporter]

please file a new bug on the github site with the error you are getting.

Original comment by jamie.l...@gmail.com on 17 Nov 2014 at 8:37