Error while creating profile for 10.9.4

[GoogleCodeExporter]

I have encountered an error when trying to create the vtypes file for Mac OS X 
10.9.4. The dwarfdump file was successfully converted to the Linux style 
output, however when attempting to create the vtypes file from this file the 
following error messages are received:

$python tools/mac/convert.py converted-10.9.4.64bit.dwarfdump > 
10.9.4.64bit.vtypes
Traceback (most recent call last):
  File "../Forensics/volatility-2.3.1/tools/mac/convert.py", line 659, in <module>
    main()
  File "../Forensics/volatility-2.3.1/tools/mac/convert.py", line 656, in main
    parse_dwarf()
  File "../Forensics/volatility-2.3.1/tools/mac/convert.py", line 390, in parse_dwarf
    parser.feed_line(line)
  File "../Forensics/volatility-2.3.1/tools/mac/convert.py", line 125, in feed_line
    self.process_statement(**parsed)
  File "../Forensics/volatility-2.3.1/tools/mac/convert.py", line 263, in process_statement
    off = int(data['AT_data_member_location'])
KeyError: 'AT_data_member_location'

Original issue reported on code.google.com by carlambr...@gmail.com on 8 Jul 2014 at 4:14

[GoogleCodeExporter]

Original comment by jamie.l...@gmail.com on 11 Jul 2014 at 9:00

[GoogleCodeExporter]

This has been fixed in Volatility 2.4. I have attached a working profile for 
10.9.4 that you can use. Please let me know if you have any issues.

Original comment by atc...@gmail.com on 20 Jul 2014 at 6:41

• Changed state: Fixed

Attachments:

• Mavericks_10.9.4_AMD.zip

[GoogleCodeExporter]

Hello folks,

I really appreciate the  OS 10.9.4 profile you created...I was having problems 
creating one of my own and getting output similar to the one above. So you 
saved my skin!

However, I have a new question for you. What program is best to create a memory 
dump from a 10.9.4 computer? MacMemoryReader currently only supports OS X 10.4 
- 10.8.

Thanks in advance!

Original comment by jtcotto...@gmail.com on 22 Jul 2014 at 8:04