[Vol-users] OSX and Volatility

Fri, 03 Jun 2016 05:49:52 -0700 

Hello list,

I’m trying to use Volatility on an OSX memory dump. I was unable to download 
mac memory reader as the site is offline. I’ve used osxpmem from recall.

The commands I used to perform the dump were:

sudo kextutil MacPmem.kext
sudo ./osxpmem --format elf -o ./ram.dump

I then moved ram.dump into my volatility directory

To check my downloaded profile is included I’ve run the command
./volatility_2.5_mac --plugins=./mac —imageinfo
and then I ran 

./volatility_2.5_mac --plugins=./mac --profile=MacElCapitan_10_11_4_15E65x64  
-f ../ram.dump  mac_pslist

and got

Volatility Foundation Volatility Framework 2.5
Offset             Name                 Pid      Uid      Gid      PGID     
Bits         DTB                Start Time
------------------ -------------------- -------- -------- -------- -------- 
------------ ------------------ ----------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64BitMap: No base Address Space
 VMWareMetaAddressSpace: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 QemuCoreDumpElf: No base Address Space
 VMWareAddressSpace: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 OSXPmemELF: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: PO_MEMORY_IMAGE is not available in profile
 WindowsCrashDumpSpace64BitMap: Header signature invalid
 VMWareMetaAddressSpace: VMware metadata file is not available
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF Header signature invalid
 QemuCoreDumpElf: ELF Header signature invalid
 VMWareAddressSpace: Invalid VMware signature: 0x4034b50
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: Failed valid Address Space check
 IA32PagedMemoryPae: Failed valid Address Space check
 IA32PagedMemory: Failed valid Address Space check
 OSXPmemELF: ELF Header signature invalid
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: Failed valid Address Space check


Apparently my OSXPmemElf signature is invalid. What can I do to dump memory 
with a valid signature? Or does my problem lie elsewhere?

Regards,
Rob

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users

Reply via email to