Stubatiger
commented
8 years ago Did u try the profile provided under: https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64 ?
Closed allewwaly closed 6 years ago
Stubatiger
commented
8 years ago Did u try the profile provided under: https://github.com/volatilityfoundation/profiles/tree/master/Linux/Ubuntu/x64 ?
allewwaly
commented
8 years ago Yes, exactly. I tried that before made myself one. All got the same error message.
Stubatiger
commented
8 years ago I have recreated this problem on the following Ubuntu Versions, each a Fresh Install on VirtualBox5.0 and GuestAdditions installed, the Images were created with Lime in lime-format and i used the official Profile provided: ubuntu-14.04.1-desktop-amd64.iso (Linux 3.13.0-32-generic #57-Ubuntu) ubuntu-14.04.3-desktop-amd64.iso (Linux 3.19.0-25-generic #26~14.04.1-Ubuntu)
Funny enough on this Version i have no problems: ubuntu-14.04.2-desktop-amd64.iso (Linux 3.16.0-30-generic #40~14.04.1-Ubuntu)
On the 14.04.3-Version i tried creating the RAM-Image with linpmem in elf-format, no success there either.
atcuno
commented
8 years ago Can you both please paste uname -a from the virtual machines where the profiles are not working? The profiles need to match the kernel version, not the Ubuntu version. Each Ubuntu version may contain 20-40 different kernels due to different configuration options and updates.
Stubatiger
commented
8 years ago 
How does this info differ though from what i already wrote?
andrew-morris
commented
8 years ago I am having this issue as well.
Attempting to run the imageinfo plugin yields the following-
$ python ~/Tools/volatility/vol.py -f ./img2.lime imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
WARNING : volatility.debug : Overlay structure tty_struct not present in vtypes
WARNING : volatility.debug : Overlay structure cpuinfo_x86 not present in vtypes
Traceback (most recent call last):
File "/Users/amorris/Tools/volatility/vol.py", line 192, in <module>
main()
File "/Users/amorris/Tools/volatility/vol.py", line 183, in main
command.execute()
File "/Users/amorris/Tools/volatility/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/Users/amorris/Tools/volatility/volatility/plugins/imageinfo.py", line 45, in render_text
for k, t, v in data:
File "/Users/amorris/Tools/volatility/volatility/plugins/imageinfo.py", line 55, in calculate
suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
File "/Users/amorris/Tools/volatility/volatility/plugins/kdbgscan.py", line 116, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/amorris/Tools/volatility/volatility/addrspace.py", line 378, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/amorris/Tools/volatility/volatility/addrspace.py", line 73, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/amorris/Tools/volatility/volatility/addrspace.py", line 98, in _set_profile
ret = profs[profile_name]()
File "/Users/amorris/Tools/volatility/volatility/plugins/overlays/linux/linux.py", line 214, in __init__
obj.Profile.__init__(self, *args, **kwargs)
File "/Users/amorris/Tools/volatility/volatility/obj.py", line 859, in __init__
self.reset()
File "/Users/amorris/Tools/volatility/volatility/plugins/overlays/linux/linux.py", line 224, in reset
self.load_vtypes()
File "/Users/amorris/Tools/volatility/volatility/plugins/overlays/linux/linux.py", line 261, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 71, in __init__
self.feed_line(line)
File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 162, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 225, in process_statement
self.id_to_name[statement_id] = [self.base_type_name(data)]
File "/Users/amorris/Tools/volatility/volatility/dwarf.py", line 125, in base_type_name
return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: 'device_attribute'I am using the community-provided profile located here. The memory was acquired from the target system using LiME. I have tried acquiring memory via LiME with both LiME and Padded formats, and both yield the same results.
Info about my machine:
OS: OS X Yosemite Uname: Darwin XXXX 14.3.0 Darwin Kernel Version 14.3.0: Mon Mar 23 11:59:05 PDT 2015; root:xnu-2782.20.48~5/RELEASE_X86_64 x86_64 Python: Python 2.7.9 Volatility: Volatility Framework 2.5
ghost
commented
8 years ago Hii, I have the same issue with the address mapping. I tried using different profiles as well but none worked. Can anyone post the solution for this if you have resolved this issue. I have using LiME to extract memory.
labuser@labuser-virtual-machine:~/Desktop/volatility-master$ python vol.py -f /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump --profile=LinuxLinuxUbuntu13x64 linux_ifconfig Volatility Foundation Volatility Framework 2.5 Interface IP Address MAC Address Promiscous Mode
No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid VMWareMetaAddressSpace: VMware metadata file is not available WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0x0 QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxLinuxUbuntu13x64 selected IA32PagedMemory: Incompatible profile LinuxLinuxUbuntu13x64 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check
About my Machine OS: OS Ubuntu 15.10 uname:4.2.0-16-generic python-2.7.11 Volatility-master LiME-master
atcuno
commented
8 years ago Hey,
Can you please past the output of the following:
strings -a /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump | grep Kernel | grep version | grep gcc
Thanks, Andrew (@attrc)
On 04/21/2016 02:58 PM, swagataupputolla wrote:
Hii, I have the same issue with the address mapping. I tried using different profiles as well but none worked. Can anyone post the solution for this if you have resolved this issue. I have using LiME to extract memory.
labuser@labuser-virtual-machine:~/Desktop/volatility-master$ python vol.py -f /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump --profile=LinuxLinuxUbuntu13x64 linux_ifconfig Volatility Foundation Volatility Framework 2.5 Interface IP Address MAC Address Promiscous Mode
No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile WindowsCrashDumpSpace64BitMap: Header signature invalid VMWareMetaAddressSpace: VMware metadata file is not available WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0x0 QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid AMD64PagedMemory: Failed valid Address Space check IA32PagedMemoryPae: Incompatible profile LinuxLinuxUbuntu13x64 selected IA32PagedMemory: Incompatible profile LinuxLinuxUbuntu13x64 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: Failed valid Address Space check
About my Machine OS: OS Ubuntu 15.10 uname:4.2.0-16-generic python-2.7.11 Volatility-master LiME-master
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/volatilityfoundation/volatility/issues/245#issuecomment-213091114
ghost
commented
8 years ago labuser@labuser-virtual-machine:/$ strings -a /home/labuser/Desktop/volatility-master/volatility/plugins/overlays/linux/memory.dump | grep Kernel
Kernel only SVGA command: %u.
KernelName
KernelRelease
KernelVersion
KernelVersion
KernelName
KernelRelease
MESSAGE=Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.2.0-16-generic root=UUID=904d3db9-1a3f-454c-9fcc-811d33f70fb8 ro quiet splash
MESSAGE=Starting Load Kernel Modules...
5Kernel command line: %s
0Kernel Offset: 0x%lx from 0x%lx (relocation range: 0x%lx-0x%lx)
4tsc: Kernel compiled with CONFIG_X86_TSC, cannot disable TSC completely
3kexec-bzImage64: Kernel command line too long
0Kernel Offset: disabled
Kernel bss
Kernel code
Kernel data
0Kernel panic - not syncing: %s
0---[ end Kernel panic - not syncing: %s
stack-protector: Kernel stack is corrupted in: %p
KernelPageSize: %8lu kB
KernelStack: %8lu kB
2Kernel BUG at %p [verbose debug info unavailable]
Node %d KernelStack: %8lu kB
:https://collector.githubapp.com/github/page_view?dimensions[page]=https%3A%2F%2Fgithub.com%2F504ensicslabs%2Flime&dimensions[title]=GitHub%20-%20504ensicsLabs%2FLiME%3A%20LiME%20(formerly%20DMD)%20is%20a%20Loadable%20Kernel%20Module%20(LKM)%2C%20which%20allows%20the%20acquisition%20of%20volatile%20memory%20from%20Linux%20and%20Linux-based%20devices%2C%20such%20as%20those%20powered%20by%20Android.%20The%20tool%20supports%20acquiring%20memory%20either%20to%20the%20file%20system%20of%20the%20device%20or%20over%20the%20network.%20LiME%20is%20unique%20in%20that%20it%20is%20the%20first%20tool%20that%20allows%20full%20memory%20captures%20from%20Android%20devices.%20It%20also%20minimizes%20its%20interaction%20between%20user%20and%20kernel%20space%20processes%20during%20acquisition%2C%20which%20allows%20it%20to%20produce%20memory%20captures%20that%20are%20more%20forensically%20sound%20than%20those%20of%20other%20tools%20designed%20for%20Linux%20memory%20acquisition.&dimensions[referrer]=&dimensions[user_agent]=Mozilla%2F5.0%20(X11%3B%20Ubuntu%3B%20Linux%20x86_64%3B%20rv%3A41.0)%20Gecko%2F20100101%20Firefox%2F41.0&dimensions[screen_resolution]=1360x768&dimensions[pixel_ratio]=1&dimensions[browser_resolution]=1295x640&dimensions[tz_seconds]=-14400&dimensions[timestamp]=1461253162034&dimensions[request_id]=835EBA6F%3A5B23%3A3378808%3A5718F428&dimensions[user_id]=7229841&dimensions[user_login]=504ensicsLabs&dimensions[repository_id]=24379459&dimensions[repository_nwo]=504ensicsLabs%2FLiME&dimensions[repository_public]=true&dimensions[repository_is_fork]=false&dimensions[repository_network_root_id]=24379459&dimensions[repository_network_root_nwo]=504ensicsLabs%2FLiME&&measures[performance_timing]=1-33-33--1692-1322-1134-214-33-3-3---0---104-234-105---&&&dimensions[cid]=1085768318.1461253162
Kernel command line: BOOT_IMAGE=/boot/vmlinuz-4.2.0-16-generic root=UUID=904d3db9-1a3f-454c-9fcc-811d33f70fb8 ro quiet splash
systemd[1]: Listening on udev Kernel Socket.
systemd[1]: Starting Load Kernel Modules...
systemd[1]: Starting udev Kernel Device Manager...
KernelVersion
GitHub - 504ensicsLabs/LiME: LiME (formerly DMD) is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
KernelName
KernelVersion
MESSAGE=Started udev Kernel Device Manager.
MESSAGE=Starting Remount Root and Kernel File Systems...
MESSAGE=Started Remount Root and Kernel File Systems.
gleeda
commented
6 years ago I'm closing this issue for now. Feel free to reopen if you have more information/issues.
Seen at https://github.com/volatilityfoundation/volatility/issues/122. I've made supplement to the question. The profile is generated with guidence of https://code.google.com/p/volatility/wiki/LinuxMemoryForensics. And the results is:
I've tried several memory dumps and all fail. The OS is 64 bit ubuntu1404 with 3.13.0-24 kernel.