gleeda
commented
3 years ago Have you tried extracting the memory sample from the zip file and running Volatility against that?
Open jonnythefox opened 3 years ago
gleeda
commented
3 years ago Have you tried extracting the memory sample from the zip file and running Volatility against that?
jonnythefox
commented
3 years ago Thanks Gleeda. I did try to extract the physical memory stream to a raw file using linpmem but this also threw an error. Is that what you mean?
jcv-
commented
3 years ago Running into the exact same issue. I basically followed the following instructions: https://schatzforensic.com/insideout/2018/06/how-to-analyse-aff4-linux-memory-images/ but running into the "No suitable address space mapping found."
I have tried extracting /proc/kcore from the AFF4 container and running volatility against that, but get the same error message.
Hello,
As part of some testing, I used Tanium Collection for Linux (memory) to recover memory from a RHEL 7.9 instance. Tanium uses pmem under the hood to dump an image in AFF4 format. I subsequently used this image to generate a profile, using the recovered boot/system.map-* and dwarfdump. I then cloned the most recent aff4 python plugin I could locate, added repo to PYTHONPATH, and then passed both parameters explicitly into the Vol command:
vol.py --plugins=/usr/local/lib/python2.7/pyaff4/pyaff4/aff4.py -f /home/user/Downloads/linux_mem_collection_test/memory_results/memory.zip --profile=Linuxrhel_79_maipo_profilex64 linux_pslist
Resultant output error - No suitable address space mapping found
Can anyone provide assistance - I'm not sure if this is a kernel issue, an image issue, or my command screw up for the plugin.
Thank you!