How to know the profile of a Linux memory dump with Volatility? [on hold]











up vote
1
down vote

favorite












I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo doesn't work.
How can I analyze it?



After an hour or so of volatility imageinfo I got this result:
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE

What can I do now to know the profile that I need to work with?






linux memory forensics dump







share|improve this question









New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga Nov 16 at 7:58


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.















  • Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
    – JigglyNaga
    Nov 16 at 7:58










  • Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this: volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... However I never get a result
    – Emiliano Pérez
    Nov 16 at 16:15












  • Apparently the dump i'm working with is a Ubuntu 16.04 dump, however volatility imageinfo doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
    – Emiliano Pérez
    Nov 16 at 19:03















up vote
1
down vote

favorite












I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo doesn't work.
How can I analyze it?



After an hour or so of volatility imageinfo I got this result:
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE

What can I do now to know the profile that I need to work with?






linux memory forensics dump







share|improve this question









New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga Nov 16 at 7:58


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.















  • Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
    – JigglyNaga
    Nov 16 at 7:58










  • Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this: volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... However I never get a result
    – Emiliano Pérez
    Nov 16 at 16:15












  • Apparently the dump i'm working with is a Ubuntu 16.04 dump, however volatility imageinfo doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
    – Emiliano Pérez
    Nov 16 at 19:03













up vote
1
down vote

favorite









up vote
1
down vote

favorite











I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo doesn't work.
How can I analyze it?



After an hour or so of volatility imageinfo I got this result:
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE

What can I do now to know the profile that I need to work with?






linux memory forensics dump







share|improve this question









New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I have a Linux memory dump which I need to analyze in order to discover a suspicious PID, however I don't have a profile or anything outside the dump file and using volatility imageinfo doesn't work.
How can I analyze it?



After an hour or so of volatility imageinfo I got this result:
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : LimeAddressSpace (Unnamed AS)
AS Layer2 : FileAddressSpace (dump)
PAE type : No PAE

What can I do now to know the profile that I need to work with?






linux memory forensics dump




linux memory forensics dump






share|improve this question









New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Nov 16 at 17:00





















New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Nov 15 at 19:34









Emiliano Pérez

113




113




New contributor




Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Emiliano Pérez is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga Nov 16 at 7:58


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.






put on hold as unclear what you're asking by Rui F Ribeiro, Jeff Schaller, RalfFriedl, Romeo Ninov, JigglyNaga Nov 16 at 7:58


Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.














  • Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
    – JigglyNaga
    Nov 16 at 7:58










  • Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this: volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... However I never get a result
    – Emiliano Pérez
    Nov 16 at 16:15












  • Apparently the dump i'm working with is a Ubuntu 16.04 dump, however volatility imageinfo doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
    – Emiliano Pérez
    Nov 16 at 19:03


















  • Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
    – JigglyNaga
    Nov 16 at 7:58










  • Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this: volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... However I never get a result
    – Emiliano Pérez
    Nov 16 at 16:15












  • Apparently the dump i'm working with is a Ubuntu 16.04 dump, however volatility imageinfo doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
    – Emiliano Pérez
    Nov 16 at 19:03
















Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
Nov 16 at 7:58




Welcome to U&L! Your question requires more detail: how did you create the "memory dump" file? What exactly "doesn't work" -- do you get an error message?
– JigglyNaga
Nov 16 at 7:58












Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this: volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... However I never get a result
– Emiliano Pérez
Nov 16 at 16:15






Sadly I don't know the memory dump method, since I got only the result file without any context, and after doing the volatility command it keeps searching in the KDBG search like this: volatility imageinfo -f Atenea/dump Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... However I never get a result
– Emiliano Pérez
Nov 16 at 16:15














Apparently the dump i'm working with is a Ubuntu 16.04 dump, however volatility imageinfo doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
– Emiliano Pérez
Nov 16 at 19:03




Apparently the dump i'm working with is a Ubuntu 16.04 dump, however volatility imageinfo doesn't recognize this kind of image dump, so I'll be searching for another way to solve the problem, anyway, thanks for the help!
– Emiliano Pérez
Nov 16 at 19:03















active

oldest

votes






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes

-

Popular posts from this blog

List directoties down one level, excluding some named directories and files

Image
1 I want to send a list of all folders including one level down to a txt file. Excluding some named folders and no files. Imagine a folder structure like this. CAPS are folders. FOLDER 1 .hidden TEMP somefile ========= ========= FOLDER 2 .hidden TEMP DATA1 DATA2 somefile ======== ======== FOLDER 3 .hidden TEMP DATA1 somefile I would like to run "insert magic command here" and end up with an output that looks like below FOLDER 1 FOLDER 2 DATA1 DATA2 FOLDER 3 DATA1 bash shell-script share | improve this question edited Dec 16 at 4:15 Rui F Ribeiro ...
Read more

list processes belonging to a network namespace

Image
5 1 I am on Ubuntu 12.04, and the ip utility does not have ip netns identify <pid> option, I tried installing new iproute , but still, the option identify doesn't seem to be working!. If I were to write a script (or code) to list all processes in a network-namespace, or given a PID, show which network-namespace it belongs to, how should I proceed ? (I need info on a handful of processes, to check if they are in the right netns ) linux process network-namespaces share | improve this question edited Jun 30 '15 at 22:00 Gilles 529k 128 1060 1585 ...
Read more

list systemd RuntimeDirectory mounts

Image
3 I have a systemd service with this declaration: RuntimeDirectory=plex RuntimeDirectoryMode=750 which creates the in memory directory /run/plex . How would I list the capabilities of this mount point as I would do with mount -l ? systemd systemd-mount share | improve this question edited Jan 9 at 17:57 filbranden 7,400 2 8 37 asked Jan 9 at 17:40 adrhc adrhc 247 1 11 ...
Read more