Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Volatility needs to be update to support newer Linux kernels #305

Closed
Resistor52 opened this issue Sep 3, 2018 · 3 comments
Closed

Volatility needs to be update to support newer Linux kernels #305

Resistor52 opened this issue Sep 3, 2018 · 3 comments
Labels
wontfix

Comments

@Resistor52
Copy link

Ran the following command:

ubuntu@siftworkstation -> ~
$ sudo vol.py --profile=Linux4_14_62-65_117_amzn1_x86_64x64  -f 54.85.216.218-mem.lime  linux_banner
Volatility Foundation Volatility Framework 2.6
Traceback (most recent call last):
  File "/usr/bin/vol.py", line 192, in <module>
    main()
  File "/usr/bin/vol.py", line 183, in main
    command.execute()
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/linux/common.py", line 64, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 216, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 227, in reset
    self.load_vtypes()
  File "/usr/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/linux.py", line 264, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 71, in __init__
    self.feed_line(line)
  File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 162, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/usr/lib/python2.7/dist-packages/volatility/dwarf.py", line 204, in process_statement
    self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
KeyError: 'DW_AT_byte_size'
ubuntu@siftworkstation -> ~

Researching it, I found:
volatilityfoundation/volatility#335

Updated SIFT with latest Volatility, and life is good:

ubuntu@siftworkstation -> ~
$ vol.py --profile=Linux4_14_62-65_117_amzn1_x86_64x64  -f 54.85.216.218-mem.lime  linux_banner
Volatility Foundation Volatility Framework 2.6
Linux version 4.14.62-65.117.amzn1.x86_64 (mockbuild@gobi-build-60009) (gcc version 7.2.1 20170915 (Red Hat 7.2.1-2) (GCC)) #1 SMP Fri Aug 10 20:03:52 UTC 2018
ubuntu@siftworkstation -> ~
@ekristen
Copy link
Contributor

There is a newer build available here -- https://launchpad.net/~volatility-builds/+archive/ubuntu/stable

If you have time to take a look and install and let me know if that fixes things I can copy that into the official release of SIFT.

@Resistor52
Copy link
Author

Thanks Erik. I will check it out this weekend. Here is my use case and current work-around: https://github.com/Resistor52/cloud_dfir_demo

@stale
Copy link

stale bot commented Dec 30, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Dec 30, 2018
@stale stale bot closed this as completed Jan 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ekristen @Resistor52