As a quick check, can you verify that mac_get_profile matches the one you are using? Don't specify --profile when running it.
Thanks, Andrew (@attrc) On 06/03/2016 03:09 AM, Rob Hunter wrote: > Hello list, > > I’m trying to use Volatility on an OSX memory dump. I was unable to > download mac memory reader as the site is offline. I’ve used osxpmem > from recall. > > The commands I used to perform the dump were: > > sudo kextutil MacPmem.kext > sudo ./osxpmem --format elf -o ./ram.dump > > I then moved ram.dump into my volatility directory > > To check my downloaded profile is included I’ve run the command > ./volatility_2.5_mac --plugins=./mac —imageinfo > and then I ran > > ./volatility_2.5_mac --plugins=./mac > --profile=MacElCapitan_10_11_4_15E65x64 -f ../ram.dump mac_pslist > > and got > > Volatility Foundation Volatility Framework 2.5 > Offset Name Pid Uid Gid PGID > Bits DTB Start Time > ------------------ -------------------- -------- -------- -------- > -------- ------------ ------------------ ---------- > No suitable address space mapping found > Tried to open image as: > MachOAddressSpace: mac: need base > LimeAddressSpace: lime: need base > WindowsHiberFileSpace32: No base Address Space > WindowsCrashDumpSpace64BitMap: No base Address Space > VMWareMetaAddressSpace: No base Address Space > WindowsCrashDumpSpace64: No base Address Space > HPAKAddressSpace: No base Address Space > VirtualBoxCoreDumpElf64: No base Address Space > QemuCoreDumpElf: No base Address Space > VMWareAddressSpace: No base Address Space > WindowsCrashDumpSpace32: No base Address Space > AMD64PagedMemory: No base Address Space > IA32PagedMemoryPae: No base Address Space > IA32PagedMemory: No base Address Space > OSXPmemELF: No base Address Space > MachOAddressSpace: MachO Header signature invalid > LimeAddressSpace: Invalid Lime header signature > WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile > WindowsCrashDumpSpace64BitMap: Header signature invalid > VMWareMetaAddressSpace: VMware metadata file is not available > WindowsCrashDumpSpace64: Header signature invalid > HPAKAddressSpace: Invalid magic found > VirtualBoxCoreDumpElf64: ELF Header signature invalid > QemuCoreDumpElf: ELF Header signature invalid > VMWareAddressSpace: Invalid VMware signature: 0x4034b50 > WindowsCrashDumpSpace32: Header signature invalid > AMD64PagedMemory: Failed valid Address Space check > IA32PagedMemoryPae: Failed valid Address Space check > IA32PagedMemory: Failed valid Address Space check > OSXPmemELF: ELF Header signature invalid > FileAddressSpace: Must be first Address Space > ArmAddressSpace: Failed valid Address Space check > > > Apparently my OSXPmemElf signature is invalid. What can I do to dump > memory with a valid signature? Or does my problem lie elsewhere? > > Regards, > Rob > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > _______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
