Tweet
Hi,
I'm just starting to use Volatility Benchmark and i'm trying to analyze a linux memory.
This my banner from the system i dumped the mem from:
Volatility 3 Framework 2.21.0
Formatting...0.00 PDB scanning finished
| Offset | Banner
* | 0x19916d920 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
* | 0x19930ec00 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
* | 0x19a948a20 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)2)
* | 0x19ad19498 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
* | 0x355bb6220 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)2)
* | 0x357853120 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
* | 0x3579f4400 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
* | 0x35aa15c98 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
* | 0x3ffe32388 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3 #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
So i added all ubuntu 6.8.0 symbols files to [Volatility Workbench Path]\Symbols\linux\Ubuntu\6.8.0\[all versions].
I especially added
Ubuntu_6.8.0-51-lowlatency_6.8.0-51.52.1_amd64.json.xz
Ubuntu_6.8.0-51-lowlatency_6.8.0-51.52.1~22.04.1_amd64.json.xz
Ubuntu_6.8.0-52-generic_6.8.0-52.53_amd64.json.xz
Ubuntu_6.8.0-52-generic_6.8.0-52.53~22.04.1_amd64.json.xz
Ubuntu_6.8.1-1015-realtime_6.8.1-1015.16_amd64.json.xz
files to [Volatility Workbench Path]\Symbols\linux\
Still i get this message from workbench:
"C:\Forensic progs\Volatility Workbench\vol.exe" -f "D:\NDG\linmemdump.raw" linux.pslist.PsList
Please wait, this may take a few minutes.
Volatility 3 Framework 2.11.0
OFFSET (V) PID TID PPID COMM CREATION TIME File output
Time Stamp: Sun Mar 30 16:01:31 2025
******* End of command output ******
I would appreciate some help what i'm doing wrong.
Thanks.
I'm just starting to use Volatility Benchmark and i'm trying to analyze a linux memory.
This my banner from the system i dumped the mem from:
Volatility 3 Framework 2.21.0
Formatting...0.00 PDB scanning finished
| Offset | Banner
* | 0x19916d920 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)* | 0x19930ec00 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)* | 0x19a948a20 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)2)* | 0x19ad19498 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)* | 0x355bb6220 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)2)* | 0x357853120 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)* | 0x3579f4400 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)* | 0x35aa15c98 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)* | 0x3ffe32388 | Linux version 6.8.0-51-generic (buildd@lcy02-amd64-057) (x86_64-linux-gnu-gcc-12 (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0, GNU ld (GNU Binutils for Ubuntu) 2.3
#52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec 9 15:00:52 UTC 2 (Ubuntu 6.8.0-51.52~22.04.1-generic 6.8.12)
So i added all ubuntu 6.8.0 symbols files to [Volatility Workbench Path]\Symbols\linux\Ubuntu\6.8.0\[all versions].
I especially added
Ubuntu_6.8.0-51-lowlatency_6.8.0-51.52.1_amd64.json.xz
Ubuntu_6.8.0-51-lowlatency_6.8.0-51.52.1~22.04.1_amd64.json.xz
Ubuntu_6.8.0-52-generic_6.8.0-52.53_amd64.json.xz
Ubuntu_6.8.0-52-generic_6.8.0-52.53~22.04.1_amd64.json.xz
Ubuntu_6.8.1-1015-realtime_6.8.1-1015.16_amd64.json.xz
files to [Volatility Workbench Path]\Symbols\linux\
Still i get this message from workbench:
"C:\Forensic progs\Volatility Workbench\vol.exe" -f "D:\NDG\linmemdump.raw" linux.pslist.PsList
Please wait, this may take a few minutes.
Volatility 3 Framework 2.11.0
OFFSET (V) PID TID PPID COMM CREATION TIME File output
Time Stamp: Sun Mar 30 16:01:31 2025
******* End of command output ******
I would appreciate some help what i'm doing wrong.
Thanks.
Comment