Profiles not appearing after saving the zip file

Question

Profiles not appearing after saving the zip file

cybercuffs opened this issue 9 years ago · comments

I saved the Mac 10.10.3 profile zip file in volatility-2.4/volatility/plugins/overlays/mac but when doing vol.py --info, it is not appearing there. Did I miss anything?

gleeda (Jamie Levy) · Answer 1 · Fri Jul 17 2015 22:11:54 GMT+0800 (China Standard Time)

you should see one of the following when doing python vol.py --info:

MacYosemite_10_10_3_14D131x64  - A Profile for Mac Yosemite_10.10.3_14D131 x64
MacYosemite_10_10_3_14D136x64  - A Profile for Mac Yosemite_10.10.3_14D136 x64

^ do you see one of those ?

gleeda (Jamie Levy) · Answer 2 · Fri Jul 17 2015 22:13:01 GMT+0800 (China Standard Time)

(also make sure you are running the same vol.py where you put the profile, just in case you are not running it from within the same folder)

Tom Asselman · Answer 3 · Thu Aug 06 2015 21:12:50 GMT+0800 (China Standard Time)

Hello ,
I seem to have a similar problem , I copied Yosemite_10.10_14A389.zip to the volatility/plugins/overlays/mac folder but the profile does not appear ...
But when I tried for example the Lion_10.7.4_Intel.zip it DOES appear in the list !
A small bug ?

cybercuffs · Answer 4 · Wed Aug 26 2015 06:35:56 GMT+0800 (China Standard Time)

I know it works no matter from where we run the vol.py --info as I've made some linux profiles in the past. Still, I tried running it from the same folder where my profile is i.e. volatility-2.4/volatility/plugins/overlays/mac but no luck.

dso · Answer 5 · Wed Aug 26 2015 06:40:17 GMT+0800 (China Standard Time)

I had some similar issues with overlays not being found on my systems. I found that when I added a .volatilityrc to my home directory, this helped alleviate some path issues. Here is what my config file looks like:

[DEFAULT]
plugins=/research_data/vol_profiles/

HTH.

gleeda (Jamie Levy) · Answer 6 · Wed Aug 26 2015 09:04:41 GMT+0800 (China Standard Time)

@cybercuffs did you try running it from the volatility-2.4 folder ?

cybercuffs · Answer 7 · Sat Sep 12 2015 04:58:48 GMT+0800 (China Standard Time)

I have alias set for it so I can run from any cwd. I deleted the zip and downloaded a fresh copy and it works fine. Though the new copy is of the same size, not sure what went wrong to previous one.

Holger Ohmacht · Answer 8 · Mon Mar 27 2017 06:54:24 GMT+0800 (China Standard Time)

Hi, I still have problems too. It's running under debian 8.6, x86_64 and I tried with the .volatilityrc plugins path stuff but I can't get no Linux plugin id at volatility --info. (Copied the file into that folder) Any Idea?

[DEFAULT]
LOCATION=/home/user/.config/volatility/plugins

gleeda (Jamie Levy) · Answer 9 · Wed Mar 29 2017 04:47:18 GMT+0800 (China Standard Time)

So there's an issue with your config file. First the LOCATION variable is for the memory sample, not plugins. Second, the path has to have a file:// prefix. Therefore you would have:

[DEFAULT]
LOCATION="file:///home/user/path/to/mem.dmp"

If you wanted to add the location for a plugins directory, you also have to prefix it with "file://" For example:

[DEFAULT]
LOCATION="file:///Location/to/win7.vmem"
PROFILE=Win7SP1x86
DTB=0x3f4b5160
KDBG=0x82b74c28
PLUGINS="file:///Location/to/extra/plugins/folder"

Notice that you can put any flag variable you want in the config file. If you have a file volatilityrc that can be near where you are invoking vol.py. If you are using .volatilityrc (notice the '.') then you need to make sure that it is in your home directory. Let me know if this helps and I'll close the issue.

november · Answer 10 · Thu Aug 17 2017 18:13:26 GMT+0800 (China Standard Time)

I too have the same problem. When I make a Linux profile in the target machine it appears when i type vol.py --info | grep Linux but when I copy the profile.zip in my investigation machine, with the same command, the profile doesn't appear.