can you send me the uname -a output from the sample the memory systme came from? I can just build you a profile (and show you the steps how I did it).
Thanks, Andrew (@attrc) On 05/04/2016 10:42 AM, Thomas Hungenberg wrote: > Hi Andrew, > > I set up a fresh VM using the same Debian kernel version. The kernel > binary files in /boot had a different MD5, most likely due to an older > security patch level. So I copied the kernel binary files from the > virtual harddisk image to my new VM and rebooted to make sure I'm running > exactly the same kernel version for creating the profile. > > But maybe I also need to copy the header files from the virtual harddisk > first? > The kernel version is the same but apparently a different security patch > level. > > Cheers, > Thomas > > On 04.05.2016 17:24, Andrew Case wrote: >> Hey Thomas, >> >> Did you verify that the kernel version was exactly the same? It is not >> so much the OS version (e.g, version of Debian), but it is that the >> kernel versions must match *exactly*. If you still have access to each >> machine you can compare the "uname -r" output to see - if these differ >> then the profile won't work. >> >> If you can't get a VM with the exact kernel version, then you can just >> download the correct kernel headers from the debian repo and then: >> >> 1) cd tools/linux (inside volatility source checkout) >> 2) edit Makefile.enterprise to point KDIR to where you extracted the headers >> 3) run: make -f Makefile.enterprise >> >> Please let me know if you have any questions. >> >> Thanks, >> Andrew (@attrc) >> >> On 05/04/2016 09:35 AM, Thomas Hungenberg wrote: >>> On 04.05.2016 16:25, Adam Pridgen wrote: >>>> Which profile are you using? You should create a profile for the Linux VM >>>> you are trying to analyze. I have had to do this for several clean >>>> installs of Ubuntu because of Linux kernel versions. >>> >>> I set up a fresh VM with Debian Linux in the same version the virtual >>> server was running. Next, I installed the kernel image and related files >>> extracted from the virtual harddisk on this new VM to get a Linux system >>> running exactly the same kernel version. Then I created a Volatility >>> profile on this VM. >>> >>> >>> - Thomas >>> >>> _______________________________________________ >>> Vol-users mailing list >>> [email protected] >>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>> . >>> > > . > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
