AFF4 Memory Image for RHEL 7.9 - No Suitable Address Space Mapping Found

[jonnythefox]

Hello,

As part of some testing, I used Tanium Collection for Linux (memory) to recover memory from a RHEL 7.9 instance. Tanium uses pmem under the hood to dump an image in AFF4 format. I subsequently used this image to generate a profile, using the recovered boot/system.map-* and dwarfdump. I then cloned the most recent aff4 python plugin I could locate, added repo to PYTHONPATH, and then passed both parameters explicitly into the Vol command:

vol.py --plugins=/usr/local/lib/python2.7/pyaff4/pyaff4/aff4.py -f /home/user/Downloads/linux_mem_collection_test/memory_results/memory.zip --profile=Linuxrhel_79_maipo_profilex64 linux_pslist

Resultant output error - No suitable address space mapping found

Can anyone provide assistance - I'm not sure if this is a kernel issue, an image issue, or my command screw up for the plugin.

Thank you!

[gleeda]

Have you tried extracting the memory sample from the zip file and running Volatility against that?

[jonnythefox]

Thanks Gleeda. I did try to extract the physical memory stream to a raw file using linpmem but this also threw an error. Is that what you mean?

[jcv-]

Running into the exact same issue. I basically followed the following instructions: https://schatzforensic.com/insideout/2018/06/how-to-analyse-aff4-linux-memory-images/ but running into the "No suitable address space mapping found."

I have tried extracting /proc/kcore from the AFF4 container and running volatility against that, but get the same error message.