search

tthtlc / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Issue in linux_find_file plugin #504

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Get a linux memory dump
2. Locate a file accessed by a process using linux_proc_maps
3. Find file's inode with linux_find_file -F "path_to_file"
3. Try to recover a file from the page cache with linux_find_file -i 
<inode_addr>

What is the expected output? What do you see instead?
The expected output is the file or, at least, some of its pages. What you get 
is a file full of zeros or an Invalid Argument error (depending on the AS used).

What version of the product are you using? On what operating system?
2.3.1 on Linux Ubuntu Server 12.04

Please provide any additional information below.
I am analyzing Android memory dumps taken from an androVM running on 
VirtualBox, so I am using the VirtualBox ELF64 AS. The virtual machine is 
running the goldfish kernel I compiled myself and I also prepared a volatility 
profile for it.

I was trying to recover memory mapped files from the page cache. The file's 
inode is correctly located, but when linux_find_file is used with -i to recover 
file contents, all you get is a file of the same size than that of the original 
one but filled with zeros.

linux_find_file.py recovers files from the page cache by locating every page 
owned by a file's inode and reading its contents from memory. In order to do 
so, it traverses the inode's i_mapping page tree, implemented using a radix 
tree. The core of this traversal is a loop that iterates through each tree 
height. However, when the needed variables are updated and prepared for the 
next iteration, the node pointer is not updated and the function does not 
return correct references.

Please find attached a patch for find_file.py that solves the issue. Using this 
patch I am able to recover files from the cache that match exactly with the 
original ones.

Original issue reported on code.google.com by vicente....@gmail.com on 15 Jun 2014 at 5:19

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 15 Jun 2014 at 7:01

GoogleCodeExporter commented 9 years ago 
Nice find! This has been fixed in the 2.4 branch

Original comment by atc...@gmail.com on 10 Jul 2014 at 8:47