How to know the profile of a Linux memory dump with Volatility? [on hold]
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo
doesn't work.
How can I analyze it?
After an hour or so of volatility imageinfo I got this result:Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE
What can I do now to know the profile that I need to work with?
linux memory forensics dump
New contributor
put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
up vote
1
down vote
favorite
I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo
doesn't work.
How can I analyze it?
After an hour or so of volatility imageinfo I got this result:Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE
What can I do now to know the profile that I need to work with?
linux memory forensics dump
New contributor
put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
yesterday
Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this:volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search...
However I never get a result
– Emiliano Pérez
yesterday
Apparently the dump i'm working with is a Ubuntu 16.04 dump, howevervolatility imageinfo
doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
– Emiliano Pérez
yesterday
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo
doesn't work.
How can I analyze it?
After an hour or so of volatility imageinfo I got this result:Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE
What can I do now to know the profile that I need to work with?
linux memory forensics dump
New contributor
I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo
doesn't work.
How can I analyze it?
After an hour or so of volatility imageinfo I got this result:Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE
What can I do now to know the profile that I need to work with?
linux memory forensics dump
linux memory forensics dump
New contributor
New contributor
edited yesterday
New contributor
asked 2 days ago
Emiliano Pérez
113
113
New contributor
New contributor
put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
yesterday
Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this:volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search...
However I never get a result
– Emiliano Pérez
yesterday
Apparently the dump i'm working with is a Ubuntu 16.04 dump, howevervolatility imageinfo
doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
– Emiliano Pérez
yesterday
add a comment |
Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
yesterday
Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this:volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search...
However I never get a result
– Emiliano Pérez
yesterday
Apparently the dump i'm working with is a Ubuntu 16.04 dump, howevervolatility imageinfo
doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
– Emiliano Pérez
yesterday
Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
yesterday
Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
yesterday
Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this:
volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search...
However I never get a result– Emiliano Pérez
yesterday
Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this:
volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search...
However I never get a result– Emiliano Pérez
yesterday
Apparently the dump i'm working with is a Ubuntu 16.04 dump, however
volatility imageinfo
doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!– Emiliano Pérez
yesterday
Apparently the dump i'm working with is a Ubuntu 16.04 dump, however
volatility imageinfo
doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!– Emiliano Pérez
yesterday
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
yesterday
Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this:
volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search...
However I never get a result– Emiliano Pérez
yesterday
Apparently the dump i'm working with is a Ubuntu 16.04 dump, however
volatility imageinfo
doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!– Emiliano Pérez
yesterday