[Forensics-changes] [volatility] 02/02: Imported Debian patch 2.5+git20161021.19d1211-1
Joao Eriberto Mota Filho
eriberto at moszumanska.debian.org
Thu Oct 27 12:11:33 UTC 2016
This is an automated email from the git hooks/post-receive script.
eriberto pushed a commit to branch debian
in repository volatility.
commit 3f00743933ce0c8b395173fb7934ef9f22e0e4e0
Merge: fe4316d 9dce184
Author: Joao Eriberto Mota Filho <eriberto at debian.org>
Date: Sat Oct 22 13:02:46 2016 -0200
Imported Debian patch 2.5+git20161021.19d1211-1
README.txt | 107 +-
contrib/plugins/malware/psempire.py | 97 +
contrib/plugins/saveconfig.py | 163 +
debian/changelog | 22 +
debian/compat | 2 +-
debian/control | 9 +-
debian/copyright | 33 +-
debian/manpage/create-man.sh | 13 +
debian/manpage/genallman.sh | 30 -
debian/manpage/volatility.1 | 23 +-
debian/manpage/volatility.header | 1 -
debian/manpage/volatility.txt | 10 +-
debian/patches/10_python-macos-interpreter.patch | 13 +
debian/patches/series | 1 +
debian/rules | 13 +-
debian/source/lintian-overrides | 4 +
debian/volatility-tools.README.Debian | 6 +-
debian/watch | 1 +
pyinstaller.spec | 2 +
tools/doxygen/config | 2310 ++++
tools/doxygen/d3/createtree.py | 32 +
tools/doxygen/d3/d3.js | 5 +
tools/doxygen/d3/tree.html | 176 +
tools/doxygen/vol.png | Bin 0 -> 25074 bytes
tools/linux/module.c | 5 +-
tools/mac/convert.py | 9 +-
tools/mac/mac_create_all_profiles.py | 5 +-
tools/mac/parse_pbzx2.py | 87 +
volatility/addrspace.py | 2 +
volatility/commands.py | 10 +-
volatility/obj.py | 5 +-
volatility/plugins/addrspaces/amd64.py | 186 +-
volatility/plugins/addrspaces/elfcoredump.py | 2 +-
volatility/plugins/addrspaces/hibernate.py | 4 +-
volatility/plugins/addrspaces/intel.py | 48 +-
volatility/plugins/addrspaces/paged.py | 32 +
volatility/plugins/bigpagepools.py | 30 +-
volatility/plugins/cmdline.py | 22 +-
volatility/plugins/drivermodule.py | 22 +-
volatility/plugins/evtlogs.py | 1 +
volatility/plugins/getsids.py | 24 +-
volatility/plugins/gui/editbox.py | 725 +-
volatility/plugins/iehistory.py | 117 +-
volatility/plugins/linux/arp.py | 21 +-
volatility/plugins/linux/aslr_shift.py | 43 +
volatility/plugins/linux/check_modules.py | 4 +-
volatility/plugins/linux/check_syscall.py | 7 +-
volatility/plugins/linux/common.py | 9 +-
volatility/plugins/linux/dmesg.py | 4 +-
volatility/plugins/linux/find_file.py | 22 +-
volatility/plugins/linux/hidden_modules.py | 4 +-
volatility/plugins/linux/malfind.py | 11 +-
volatility/plugins/linux/mount.py | 46 +-
volatility/plugins/linux/netscan.py | 3 +
volatility/plugins/linux/netstat.py | 2 +-
volatility/plugins/linux/pkt_queues.py | 39 +-
volatility/plugins/linux/pslist.py | 63 +-
volatility/plugins/linux/psscan.py | 92 +
volatility/plugins/linux/psxview.py | 31 +-
volatility/plugins/mac/apihooks.py | 10 +-
volatility/plugins/mac/bash_env.py | 28 +-
volatility/plugins/mac/bash_hash.py | 11 +-
volatility/plugins/mac/check_fop.py | 131 +
volatility/plugins/mac/classes.py | 108 +
volatility/plugins/mac/devfs.py | 88 +
volatility/plugins/mac/get_profile.py | 88 +-
volatility/plugins/mac/interest_handlers.py | 188 +
volatility/plugins/mac/kevents.py | 131 +
volatility/plugins/mac/list_files.py | 197 +-
volatility/plugins/mac/lsmod_iokit.py | 2 +-
volatility/plugins/mac/netconns.py | 2 +-
volatility/plugins/mac/pslist.py | 40 +-
volatility/plugins/mac/pstasks.py | 20 -
volatility/plugins/mac/recover_filesystem.py | 3 +-
volatility/plugins/mac/timers.py | 99 +
volatility/plugins/mac/vfsevents.py | 76 +
volatility/plugins/malware/malfind.py | 15 +-
volatility/plugins/malware/servicediff.py | 16 +-
volatility/plugins/malware/svcscan.py | 16 +-
volatility/plugins/malware/threads.py | 190 +-
volatility/plugins/mbrparser.py | 6 +-
volatility/plugins/overlays/linux/elf.py | 24 +-
volatility/plugins/overlays/linux/linux.py | 274 +-
volatility/plugins/overlays/mac/mac.py | 472 +-
volatility/plugins/overlays/windows/pe_vtypes.py | 56 +-
volatility/plugins/overlays/windows/vad_vtypes.py | 25 +-
volatility/plugins/overlays/windows/vista.py | 10 +
volatility/plugins/overlays/windows/win10.py | 256 +-
.../overlays/windows/win10_x64_1AC738FB_vtypes.py | 13258 ++++++++++++++++++
.../overlays/windows/win10_x64_DD08DD42_vtypes.py | 13679 +++++++++++++++++++
.../overlays/windows/win10_x86_44B89EEA_vtypes.py | 12767 +++++++++++++++++
.../overlays/windows/win10_x86_9619274A_vtypes.py | 13166 ++++++++++++++++++
volatility/plugins/overlays/windows/win2003.py | 7 +
volatility/plugins/overlays/windows/win7.py | 30 +
.../windows/win7_sp1_x64_632B36E0_vtypes.py | 9232 +++++++++++++
.../windows/win7_sp1_x86_BBA98F40_vtypes.py | 8842 ++++++++++++
volatility/plugins/overlays/windows/win8.py | 23 +
volatility/plugins/overlays/windows/win8_kdbg.py | 60 +-
.../windows/win8_sp1_x64_54B5A1C6_vtypes.py | 11259 +++++++++++++++
volatility/plugins/overlays/windows/xp.py | 2 +
volatility/plugins/registry/auditpol.py | 61 +-
volatility/plugins/registry/shellbags.py | 2 +-
volatility/plugins/registry/shutdown.py | 12 +-
volatility/plugins/strings.py | 20 +-
volatility/plugins/tcaudit.py | 2 +
volatility/plugins/timeliner.py | 2 +-
volatility/plugins/vadinfo.py | 7 +-
volatility/plugins/volshell.py | 37 +-
volatility/renderers/sqlite.py | 12 +-
volatility/win32/hashdump.py | 2 +
volatility/win32/tasks.py | 8 +-
111 files changed, 88805 insertions(+), 1077 deletions(-)
diff --cc debian/changelog
index f7f3c1e,0000000..0f433a5
mode 100644,000000..100644
--- a/debian/changelog
+++ b/debian/changelog
@@@ -1,210 -1,0 +1,232 @@@
++volatility (2.5+git20161021.19d1211-1) unstable; urgency=medium
++
++ * New upstream release. This release fixes partially an issue with Kernel
++ Linux 4.7. (see #839754)
++ * Bumped DH level to 10.
++ * Using GitHub project page as official upstream homepage.
++ * debian/control: updated the long description for volatility.
++ * debian/copyright: updated some upstream copyright dates.
++ * debian/manpages:
++ - Changed from genallman.sh to create-man.sh.
++ - Updated manpage as '2.6-pre' version.
++ * debian/patches/10_python-macos-interpreter.patch: added to provides an
++ interpreter for python in MacOs.
++ * debian/rules:
++ - Removed the --parallel option from dh.
++ - Removed the override_dh_auto_build target.
++ * debian/source/lintian-overrides: added to override a lintian mistake.
++ * debian/volatility-tools.README.Debian: updated.
++ * debian/watch: added a dversionmangle to ignore the current Git version.
++
++ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 22 Oct 2016 13:02:46 -0200
++
+volatility (2.5-2) unstable; urgency=medium
+
+ * debian/control:
+ - Bumped Standards-Version to 3.9.8.
+ - Fixed the name "openSUSE" in long description.
+ - Updated the Vcs-* fields to use https instead of http and git.
+ * debian/copyright: updated the packaging copyright years.
+ * debian/manpage/: updated the manpage. (Closes: #824438)
+ * debian/watch: bumped to version 4.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sun, 07 Aug 2016 18:54:34 -0300
+
+volatility (2.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/clean: not needed. Removed.
+ * debian/control: updated the long description.
+ * debian/copyright:
+ - The upstream's README.txt says GPL-2+. So, updated the
+ license in debian/copyright.
+ - Relicensed the packaging to be compliant with upstream.
+ - Updated all information.
+ * debian/gbp.conf: not used by me... Removed.
+ * debian/manpage/:
+ - Updated the manpage.
+ - Updated the genallman.sh to v0.3.
+ * debian/source/options: not needed. Removed.
+ * debian/volatility.docs: added AUTHORS.txt and CREDITS.txt.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 21 Nov 2015 12:01:43 -0200
+
+volatility (2.4.1-2) unstable; urgency=medium
+
+ * Upload to unstable. Welcome Jessie Stable.
+ * debian/control: fixed the extra spaces between lines. Thanks to
+ Davide Prina <davide.prina at gmail.com> (Closes: #768775)
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Wed, 29 Apr 2015 12:57:04 -0300
+
+volatility (2.4.1-1) experimental; urgency=medium
+
+ * New upstream release.
+ * debian/copyright:
+ - Removed the block 'Files: tools/linux/pmem/pmem.c'. The pmem no longer
+ exists in Volatility.
+ - Removed not used 'Apache-2.0' licence text.
+ - Updated the packaging copyright years.
+ * debian/man/:
+ - Little adjustments in manpage.
+ - Renamed to debian/manpage/.
+ * debian/rules: added the override_auto_clean target to remove some files
+ forgotten by upstream.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Mon, 23 Feb 2015 14:02:52 -0300
+
+volatility (2.4-4) unstable; urgency=medium
+
+ * Upload to unstable.
+ * debian/control: removed the Recommends field because volatility-profiles
+ no longer exists in unstable/testing (see #766895).
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Thu, 27 Nov 2014 23:17:36 -0200
+
+volatility (2.4-3) experimental; urgency=medium
+
+ * debian/copyright: added a new upstream site. See below.
+ * debian/watch: The Volatility Project replied me a recent email
+ message and the development site (GitHub) now uses tags.
+ Thanks a lot to Jamie Levy (gleeda).
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Thu, 20 Nov 2014 19:09:46 -0200
+
+volatility (2.4-2) experimental; urgency=medium
+
+ * debian/watch: added a fake site to explain about the current
+ status of the original upstream homepage.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Tue, 18 Nov 2014 08:45:16 -0200
+
+volatility (2.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/clean: added to remove some files generated by upstream when
+ building.
+ * debian/control:
+ - Added dh-python as build dependency.
+ - Added python-distorm3 and python-tz as install dependencies
+ to volatility binary.
+ - Fixed the name 'lime-forensics-dkms' in Suggests field.
+ - Following the upstream README, changed X-Python-Version from
+ >= 2.7 to 2.7.
+ - Improved the long description.
+ - Removed the volatility-profiles, a recommended package, from
+ volatility binary. This package is dead and will be removed
+ from Debian.
+ - Updated the Standards-Version from 3.9.5 to 3.9.6.
+ * debian/copyright:
+ - Updated the Source field.
+ - Updated the upstream names and copyright years.
+ * debian/man/:
+ - Changed the generator script from genman.sh to genallman.sh.
+ - Removed (now) useless file 'notes'.
+ - Updated the manpage.
+ * debian/volatility-tools.README.Debian: improved.
+ * debian/watch: deactivated because the new upstream site is using
+ resources that can't be monitored.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Sat, 25 Oct 2014 17:15:53 -0300
+
+volatility (2.3.1-10) unstable; urgency=medium
+
+ * New maintainer email address.
+ * debian/control: updated the Vcs-Browser field.
+ * debian/man/:
+ - Added genman.sh to automate the manpage creation.
+ - Renamed volatility.1.header to header.txt.
+ * debian/volatility-tools.dirs: removed because the
+ volatility-tools.install file already creates the
+ directory.
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Fri, 08 Aug 2014 13:45:27 -0300
+
+volatility (2.3.1-9) unstable; urgency=medium
+
+ * debian/volatility-tools.README.Debian: updated the information about
+ the new profile folder.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Mon, 31 Mar 2014 20:30:41 -0300
+
+volatility (2.3.1-8) unstable; urgency=medium
+
+ * debian/control: fixed the Vcs-Git field. Thanks to
+ Mario Lang <mlang at debian.org> for report.
+ * debian/watch: improved.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 21 Feb 2014 08:29:47 -0300
+
+volatility (2.3.1-7) unstable; urgency=medium
+
+ * debian/control: moved python from Depends to Suggests field in
+ volatility-tools binary, to avoid unnecessary installs when
+ making a Linux profile only. It is a special case.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 31 Jan 2014 07:40:07 -0200
+
+volatility (2.3.1-6) unstable; urgency=medium
+
+ * debian/control: removed minimum python version from volatility-tools,
+ to allow the profile creation on old versions of the distributions.
+ * debian/volatility.lintian-overrides: useless; removed.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Thu, 30 Jan 2014 22:34:47 -0200
+
+volatility (2.3.1-5) unstable; urgency=medium
+
+ * debian/control:
+ - Added python as dependency in volatility-tools binary.
+ - Changed the minimum python version from 2.6 to 2.7 in
+ X-Python-Version field.
+ * debian/*.install: added to create the volatility and volatility-tools
+ packages.
+ * debian/rules:
+ - Changed in python setup line from --root=debian/volatility to
+ --root=debian/tmp.
+ - Removed the lines used to create the volatility-tool package.
+ This is made by debian/*.install files now.
+ - Removed the DESTDIR* lines.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Thu, 30 Jan 2014 14:12:34 -0200
+
+volatility (2.3.1-4) unstable; urgency=high
+
+ * debian/control: changed yara to python-yara as volatility dependency.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Sun, 26 Jan 2014 16:42:27 -0200
+
+volatility (2.3.1-3) unstable; urgency=medium
+
+ * Updated to unstable.
+ * debian/control: updated the long description.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Fri, 17 Jan 2014 08:11:48 -0200
+
+volatility (2.3.1-2) experimental; urgency=medium
+
+ * New binary:
+ - Created volatility-tools to provide, separately, the code used to
+ generate profiles to Volatility.
+ - Added the volatility-tools.dirs file to provides
+ /usr/src/volatility-tools.
+ - Added a README.Debian to talk about the profiles creation process.
+ - Renamed debian/docs to debian/volatility.docs; debian/links to
+ volatility.links; manpages to volatility.manpages.
+ - Updated the debian/rules file.
+ * debian/control:
+ - Added volatility-tools and yara as volatility dependency.
+ - Added volatility-profiles as volatility recommendation.
+ - Bumped Standards-Version from 3.9.4 to 3.9.5.
+ * debian/copyright:
+ - Added Michael Prokop to maintainers.
+ - Updated the packaging years.
+ * debian/watch: improved.
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Tue, 07 Jan 2014 15:36:52 -0200
+
+volatility (2.3.1-1) unstable; urgency=low
+
+ * Initial release (Closes: #728251)
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> Sat, 02 Nov 2013 01:10:33 -0200
diff --cc debian/compat
index ec63514,0000000..f599e28
mode 100644,000000..100644
--- a/debian/compat
+++ b/debian/compat
@@@ -1,1 -1,0 +1,1 @@@
- 9
++10
diff --cc debian/control
index c54ad2d,0000000..16cee8a
mode 100644,000000..100644
--- a/debian/control
+++ b/debian/control
@@@ -1,102 -1,0 +1,103 @@@
+Source: volatility
+Section: utils
+Priority: optional
+Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
+Uploaders: Joao Eriberto Mota Filho <eriberto at debian.org>,
+ Michael Prokop <mika at debian.org>
- Build-Depends: debhelper (>= 9), python, dh-python
++Build-Depends: debhelper (>= 10), python, dh-python
+X-Python-Version: 2.7
+Standards-Version: 3.9.8
- Homepage: http://www.volatilityfoundation.org
++Homepage: https://github.com/volatilityfoundation/volatility
+Vcs-Git: https://anonscm.debian.org/git/forensics/volatility.git
+Vcs-Browser: https://anonscm.debian.org/git/forensics/volatility.git
+
+Package: volatility
+Architecture: all
+Suggests: lime-forensics-dkms, libraw1394-11
+Depends: ${misc:Depends},
+ ${python:Depends},
+ python-crypto,
+ python-distorm3,
+ python-imaging,
+ python-openpyxl,
+ python-tz,
+ python-yara,
+ volatility-tools (>= 2.4.1-1)
+Description: advanced memory forensics framework
+ The Volatility Framework is a completely open collection of tools for
+ the extraction of digital artifacts from volatile memory (RAM) samples.
+ It is useful in forensics analysis. The extraction techniques are
+ performed completely independent of the system being investigated but
+ offer unprecedented visibility into the runtime state of the system.
+ .
+ Volatility supports memory dumps from all major 32- and 64-bit Windows
+ versions and service packs. Whether your memory dump is in raw format,
+ a Microsoft crash dump, hibernation file, or virtual machine snapshot,
+ Volatility is able to work with it.
+ .
+ Linux memory dumps in raw or LiME format are supported too. There are
+ several plugins for analyzing memory dumps from 32- and 64-bit Linux
+ kernels and relevant distributions such as Debian, Ubuntu, openSUSE,
+ RedHat, Fedora, CentOS, Mandriva, etc.
+ .
+ Volatility also support several versions of Mac OSX memory dumps, both
+ 32- and 64-bit. Android phones with ARM processors are also supported.
+ .
+ These are some of the data that can be extracted from a memory image:
+ - Image information (date, time, CPU count);
+ - Running processes;
+ - Open network sockets and connections;
+ - OS kernel modules loaded;
+ - Memory maps for each process;
+ - Executables samples;
+ - Command history;
+ - Suspicious process mappings (i.e. injected code);
+ - Passwords, as LM/NTLM hashes and LSA secrets;
+ - Cached Truecrypt passphrases;
+ - Others.
+ .
+ Current version (2.5) supports investigations of the memory images from
+ these operational systems:
- - 64-bit Windows Server 2012 and 2012 R2
- - 32- and 64-bit Windows 10 (initial/basic support)
++ - 32- and 64-bit Windows Server 2012
++ - 64-bit Windows 2012 R2
++ - 32- and 64-bit Windows 10
+ - 32- and 64-bit Windows 8, 8.1, and 8.1 Update 1
+ - 32- and 64-bit Windows 7 (all service packs)
+ - 32- and 64-bit Windows Server 2008 (all service packs)
+ - 64-bit Windows Server 2008 R2 (all service packs)
+ - 32- and 64-bit Windows Vista (all service packs)
+ - 32- and 64-bit Windows Server 2003 (all service packs)
+ - 32- and 64-bit Windows XP (SP2 and SP3)
+ - 32- and 64-bit Linux kernels from 2.6.11 to 4.2.3
+ - 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which
+ isn't supported)
+ - 32- and 64-bit 10.6.x Snow Leopard
+ - 32- and 64-bit 10.7.x Lion
+ - 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+ - 64-bit 10.9.x Mavericks (there is no 32-bit version)
+ - 64-bit 10.10.x Yosemite (there is no 32-bit version)
+ - 64-bit 10.11.x El Capitan (there is no 32-bit version)
+ .
+ Volatility supports a variety of sample file formats:
+ - Raw/Padded Physical Memory;
+ - Firewire (IEEE 1394);
+ - Expert Witness (EWF);
+ - 32- and 64-bit Windows Crash Dump;
+ - 32- and 64-bit Windows Hibernation;
+ - 32- and 64-bit MachO files;
+ - Virtualbox Core Dumps;
+ - VMware Saved State (.vmss) and Snapshot (.vmsn);
+ - HPAK Format (FastDump);
+ - QEMU memory dumps.
+
+Package: volatility-tools
+Architecture: all
+Depends: ${misc:Depends}, dwarfdump
+Suggests: gcc, linux-headers, make, python, zip
+Description: generate profiles to Volatility Framework
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis.
+ .
+ This package provides the code used to generate Linux and MAC profiles to
+ Volatility.
diff --cc debian/copyright
index 6e20b60,0000000..50f8216
mode 100644,000000..100644
--- a/debian/copyright
+++ b/debian/copyright
@@@ -1,107 -1,0 +1,106 @@@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: volatility
+Upstream-Contact: Volatility Foundation <info at volatilityfoundation.org>
- Source: http://www.volatilityfoundation.org or
- https://github.com/volatilityfoundation/volatility
++Source: https://github.com/volatilityfoundation/volatility
+
+Files: *
- Copyright: 2004 Commonwealth of Australia <{scudette,daveco}@users.sf.net>
++Copyright:
++ ? Joe Sylve - joe.sylve at gmail.com
++ ? Matthieu (Matt) Suiche
++ ? Philippe Teuwen <phil at teuwen.org>
++ ? Santiago Vicente
++ 2004 Commonwealth of Australia <{scudette,daveco}@users.sf.net>
+ 2004-2007 4tphi Research <{npetroni,awalters}@4tphi.net>
- Nick L. Petroni <npetroni at 4tphi.net>
++ 2004-2007 Nick L. Petroni <npetroni at 4tphi.net>
+ 2004-2013 AAron Walters <awalters at 4tphi.net>
- 2007-2014 Andrew Case <atcuno at gmail.com>
- Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
- Michael Cohen <scudette at gmail.com>
- Mike Auty <mike.auty at gmail.com>
- Timothy D. Morgan
- 2007-2015 Volatility Foundation <info at volatilityfoundation.org>
- Michael Hale Ligh <michael.ligh at mnin.org, michael.hale at gmail.com>
++ 2007-2014 Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
++ 2007-2014 Michael Cohen <scudette at gmail.com>
++ 2007-2014 Mike Auty <mike.auty at gmail.com>
++ 2007-2014 Timothy D. Morgan
++ 2007-2016 Andrew Case <atcuno at gmail.com>
++ 2007-2016 Volatility Foundation <info at volatilityfoundation.org>
++ 2009 Andreas Schuster <a.schuster at forensikblog.de>
+ 2010 Bradley Schatz <bradley at schatzforensic.com.au>
++ 2010-2012 Michael Hale Ligh <michael.ligh at mnin.org, michael.hale at gmail.com>
+ 2011-2013 Jamie Levy (Gleeda) <jamie.levy at gmail.com>
+ 2012 Nir Izraeli <nirizr at gmail.com>
+ 2012-2013 Cem Gurkok <cemgurkok at gmail.com>
- ? Andreas Schuster <a.schuster at forensikblog.de>
- attc <atcuno at gmail.com>
- Joe Sylve - joe.sylve at gmail.com
- Matthieu (Matt) Suiche
- Philippe Teuwen <phil at teuwen.org>
- Santiago Vicente
+ 2014 CrowdStrike, Inc
+License: GPL-2+
+
+Files: volatility/plugins/addrspaces/crashbmp.py
+ volatility/plugins/drivermodule.py
+ volatility/plugins/dumpfiles.py
+ volatility/plugins/linux/bash_hash.py
+ volatility/plugins/linux/check_fops.py
+ volatility/plugins/linux/check_inline_kernel.py
+ volatility/plugins/linux/check_modules.py
+ volatility/plugins/linux/check_syscall.py
+ volatility/plugins/linux/find_file.py
+ volatility/plugins/linux/hidden_modules.py
+ volatility/plugins/linux/iomem.py
+ volatility/plugins/linux/kernel_opened_files.py
+ volatility/plugins/linux/keyboard_notifiers.py
+ volatility/plugins/linux/ld_env.py
+ volatility/plugins/linux/ldrmodules.py
+ volatility/plugins/linux/libc_env.py
+ volatility/plugins/linux/librarydump.py
+ volatility/plugins/linux/lime.py
+ volatility/plugins/linux/list_raw.py
+ volatility/plugins/linux/lsmod.py
+ volatility/plugins/linux/malfind.py
+ volatility/plugins/linux/netfilter.py
+ volatility/plugins/linux/procdump.py
+ volatility/plugins/linux/process_hollow.py
+ volatility/plugins/linux/proc_maps_rb.py
+ volatility/plugins/linux/psenv.py
+ volatility/plugins/linux/psxview.py
+ volatility/plugins/linux/recover_filesystem.py
+ volatility/plugins/linux/route_cache.py
+ volatility/plugins/mac/bash_env.py
+ volatility/plugins/mac/bash_hash.py
+ volatility/plugins/mac/compressed_swap.py
+ volatility/plugins/mac/dump_map.py
+ volatility/plugins/mac/ldrmodules.py
+ volatility/plugins/mac/list_raw.py
+ volatility/plugins/mac/malfind.py
+ volatility/plugins/mac/recover_filesystem.py
+ volatility/plugins/mac/threads.py
+ volatility/plugins/overlays/linux/linux.py
+ volatility/plugins/overlays/windows/crash_vtypes.py
+ volatility/plugins/overlays/windows/hibernate_vtypes.py
+ volatility/plugins/overlays/windows/pe_vtypes.py
+ volatility/plugins/overlays/windows/ssdt_vtypes.py
+ volatility/plugins/overlays/windows/vad_vtypes.py
+ volatility/plugins/overlays/windows/win10.py
+ volatility/plugins/overlays/windows/win8_kdbg.py
+ volatility/plugins/overlays/windows/win8.py
+ volatility/plugins/tcaudit.py
+ volatility/poolscan.py
+Copyright: 2007-2015 Volatility Foundation <info at volatilityfoundation.org>
+ 2010 Brendan Dolan-Gavitt <bdolangavitt at wesleyan.edu>
+ 2010-2014 Michael Ligh <michael.ligh at mnin.org>
+ 2011 Michael Cohen <scudette at gmail.com>
+License: GPL-2
+
+Files: debian/*
+Copyright: 2013 Michael Prokop <mika at debian.org>
+ 2013-2016 Joao Eriberto Mota Filho <eriberto at debian.org>
+License: GPL-2+
+
+License: GPL-2 or GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --cc debian/manpage/create-man.sh
index 0000000,0000000..d5a078c
new file mode 100755
--- /dev/null
+++ b/debian/manpage/create-man.sh
@@@ -1,0 -1,0 +1,13 @@@
++#!/bin/bash
++
++# by Eriberto
++# Create the manpage using txt2man command.
++
++T2M_DATE="23 Oct 2016"
++T2M_NAME=volatility
++T2M_VERSION=2.6-pre
++T2M_LEVEL=1
++T2M_DESC="advanced memory forensics framework"
++
++# Don't change the following line
++txt2man -d "$T2M_DATE" -t $T2M_NAME -r $T2M_NAME-$T2M_VERSION -s $T2M_LEVEL -v "$T2M_DESC" $T2M_NAME.txt > $T2M_NAME.$T2M_LEVEL
diff --cc debian/manpage/volatility.1
index bab49cf,0000000..f047dbf
mode 100644,000000..100644
--- a/debian/manpage/volatility.1
+++ b/debian/manpage/volatility.1
@@@ -1,476 -1,0 +1,491 @@@
- .TH VOLATILITY "1" "Nov 2015" "VOLATILITY 2.5" "advanced memory forensics framework"
+.\" Text automatically generated by txt2man
++.TH volatility 1 "23 Oct 2016" "volatility-2.6-pre" "advanced memory forensics framework"
+.SH NAME
+\fBvolatility \fP- advanced memory forensics framework
+\fB
+.SH SYNOPSIS
+.nf
+.fam C
+\fBvolatility\fP [\fIoption\fP]
+\fBvolatility\fP \fB-f\fP [\fIimage\fP] \fB--profile\fP=[profile] [\fIplugin\fP]
+
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+The Volatility Framework is a completely open collection of tools for the
+extraction of digital artifacts from volatile memory (RAM) samples. It is
+useful in forensics analysis. The extraction techniques are performed
+completely independent of the system being investigated but offer
+unprecedented visibility into the runtime state of the system.
+.PP
- Currently, Volatility (version 2.4) supports several versions of the
++Currently, Volatility (version 2.6-pre) supports several versions of the
+MS Windows, Linux and MAC OSX:
+.RS
+.IP \(bu 3
++32- and 64-bit Windows 10
++.IP \(bu 3
+64-bit Windows Server 2012 and 2012 R2
+.IP \(bu 3
+32- and 64-bit Windows 8 and 8.1
+.IP \(bu 3
+32- and 64-bit Windows 7 (all service packs)
+.IP \(bu 3
+32- and 64-bit Windows Server 2008 (all service packs)
+.IP \(bu 3
+64-bit Windows Server 2008 R2 (all service packs)
+.IP \(bu 3
++32- and 64-bit Windows Server 2008 (all service packs)
++.IP \(bu 3
+32- and 64-bit Windows Vista (all service packs)
+.IP \(bu 3
+32- and 64-bit Windows Server 2003 (all service packs)
+.IP \(bu 3
+32- and 64-bit Windows XP (SP2 and SP3)
+.IP \(bu 3
+32- and 64-bit Linux kernels from 2.6.11 to 3.16
+.IP \(bu 3
+32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
+.IP \(bu 3
+32- and 64-bit 10.6.x Snow Leopard
+.IP \(bu 3
+32- and 64-bit 10.7.x Lion
+.IP \(bu 3
+64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+.IP \(bu 3
+64-bit 10.9.x Mavericks (there is no 32-bit version)
+.RE
+.PP
+The memory formats supported are:
+.RS
+.IP \(bu 3
+Raw/Padded Physical Memory
+.IP \(bu 3
+Firewire (IEEE 1394)
+.IP \(bu 3
+Expert Witness (EWF)
+.IP \(bu 3
+32- and 64-bit Windows Crash Dump
+.IP \(bu 3
+32- and 64-bit Windows Hibernation
+.IP \(bu 3
+32- and 64-bit MachO files
+.IP \(bu 3
+Virtualbox Core Dumps
+.IP \(bu 3
+VMware Saved State (.vmss) and Snapshot (.vmsn)
+.IP \(bu 3
+HPAK Format (FastDump)
+.IP \(bu 3
+QEMU memory dumps
+.RE
+.PP
+The supported address spaces (RAM types) are:
+.RS
+.IP \(bu 3
+AMD64PagedMemory - Standard AMD 64-bit address space.
+.IP \(bu 3
+ArmAddressSpace - No docs.
+.IP \(bu 3
+FileAddressSpace - This is a direct file AS.
+.IP \(bu 3
+HPAKAddressSpace - This AS supports the HPAK format.
+.IP \(bu 3
+IA32PagedMemory - Standard IA-32 paging address space.
+.IP \(bu 3
+IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible.
+.IP \(bu 3
+LimeAddressSpace - Address space for Lime.
+.IP \(bu 3
+MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader.
+.IP \(bu 3
+OSXPmemELF - This AS supports VirtualBox ELF64 coredump format.
+.IP \(bu 3
+QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format.
+.IP \(bu 3
+VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.
+.IP \(bu 3
+VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata.
+.IP \(bu 3
+VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format.
+.IP \(bu 3
++Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space.
++.IP \(bu 3
++WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
++.IP \(bu 3
+WindowsCrashDumpSpace32 - This AS supports Windows Crash Dump format.
+.IP \(bu 3
+WindowsCrashDumpSpace64 - This AS supports Windows Crash Dump format.
+.IP \(bu 3
+WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format.
+.IP \(bu 3
+WindowsHiberFileSpace32 - This is a hibernate address space for Windows hibernation files.
+.RE
+.PP
+There are RAM images for tests at https://code.google.com/p/\fBvolatility\fP/wiki/SampleMemoryImages
+or at https://github.com/volatilityfoundation/\fBvolatility\fP/wiki/Memory-Samples.
+.SH OPTIONS
+.TP
+.B
+\fB-h\fP, \fB--help\fP
+List all available options and their default values.
+Default values may be set in the configuration file (/etc/volatilityrc).
+.TP
+.B
+\fB--conf-file\fP=/root/.volatilityrc
+User based configuration file.
+.TP
+.B
+\fB-d\fP, \fB--debug\fP
+Debug Volatility.
+.TP
+.B
+\fB--plugins\fP=PLUGINS
+Additional \fIplugin\fP directories to use (colon separated).
+.TP
+.B
+\fB--info\fP
+Print information about all registered objects.
+.TP
+.B
+\fB--cache-directory\fP=/root/.cache/\fBvolatility\fP
+Directory where cache files are stored.
+.TP
+.B
+\fB--cache\fP
+Use caching.
+.TP
+.B
+\fB--tz\fP=TZ
+Sets the timezone for displaying timestamps.
+.TP
+.B
+\fB-f\fP FILENAME, \fB--filename\fP=FILENAME
+Filename to use when opening an \fIimage\fP.
+.TP
+.B
+\fB--profile\fP=WinXPSP2x86
+Name of the profile to load.
+.TP
+.B
+\fB-l\fP LOCATION, \fB--location\fP=LOCATION
+An URN location from which to load an address space.
+.TP
+.B
+\fB-w\fP, \fB--write\fP
+Enable write support.
+.TP
+.B
+\fB--dtb\fP=DTB
+DTB Address.
+.TP
+.B
+\fB--shift\fP=SHIFT
+Mac KASLR shift address.
+.TP
+.B
+\fB--output\fP=text
+Output in this format (format support is module specific).
+.TP
+.B
+\fB--output-file\fP=OUTPUT_FILE
+Write output in this file.
+.TP
+.B
+\fB-v\fP, \fB--verbose\fP
+Verbose information.
+.TP
+.B
+\fB-g\fP KDBG, \fB--kdbg\fP=KDBG
+Specify a specific KDBG virtual address.
+.TP
+.B
+\fB-k\fP KPCR, \fB--kpcr\fP=KPCR
+Specify a specific KPCR address.
++.TP
++.B
++\fB--force\fP
++Force utilization of suspect profile.
++.TP
++.B
++\fB--cookie\fP=COOKIE
++Specify the address of nt!ObHeaderCookie (valid for
++Windows 10 only).
+.SH PLUGINS AND PROFILES
+The supported \fIplugin\fP commands and profiles can be viewed if using the command '$ \fBvolatility\fP \fB--info\fP'.
+Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
+these prefixes were designed for MS Windows.
+.PP
+Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
+profiles are provided by the Volatility.
+.PP
+You must create your own profiles for Linux and MAC OSX. For this, on Debian systems,
+read the README.Debian file provided by \fBvolatility\fP-tools package.
+.PP
+On MS Windows, to determine the OS type, you can use:
+.PP
+.nf
+.fam C
+ $ volatility \-f <image> imageinfo
+
+ or
+
+ $ volatility \-f <image> kdbgscan
+
+.fam T
+.fi
+.SH ENVIRONMENT VARIABLES
+On a GNU/Linux or OS X system, these variables can be set:
+.RS
+.IP \(bu 3
+VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '\fB--profile\fP' \fIoption\fP.
+.IP \(bu 3
+VOLATILITY_LOCATION - Specifies the path of an \fIimage\fP. So, the Volatility command will not need a file name via '\fB-f\fP' \fIoption\fP.
+.IP \(bu 3
+VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
+.RE
+.PP
+Other \fIplugin\fP flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+flag name remains the same when adding it to the configuration file.
+.PP
+If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+(e.g. LOCATION=file:///tmp/my%20image.img).
+.PP
+Example:
+.PP
+.nf
+.fam C
+ $ export VOLATILITY_PROFILE=Win7SP0x86
+ $ export VOLATILITY_LOCATION=file:///tmp/myimage.img
+ $ export VOLATILITY_KDBG=0x82944c28
+
+.fam T
+.fi
+.SH CONFIGURATION FILES
+Configuration files are typically 'volatilityrc' in the current directory or '~/.volatilityrc' in
+user's home directory, or at user specified path, using the \fB--conf-file\fP \fIoption\fP. An example of the
+file contents is shown below:
+.PP
+.nf
+.fam C
+ [DEFAULT]
+ PROFILE=Win7SP0x86
+ LOCATION=file:///tmp/myimage.img
+ KDBG=0x82944c28
+
+.fam T
+.fi
+Other \fIplugin\fP flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+flag name remains the same when adding it to the configuration file.
+.PP
+If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+(e.g. LOCATION=file:///tmp/my%20image.img).
+.SH EXTRA PROCEDURES
+Setting a timezone
+.PP
+.nf
+.fam C
+ Timestamps extracted from memory can either be in system-local time, or in Universal Time
+ Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time zone
+ of the analyst's choosing. To choose a timezone, use one of the standard timezone names
+ (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with the \-\-tz=TIMEZONE flag.
+
+ Volatility attempts to use pytz if installed, otherwise it uses tzset.
+
+ Please note that specifying a timezone will not affect how system-local times are displayed. If you identify
+ a time that you know is UTC-based, please file it as an issue in the issue tracker. By default the _EPROCESS
+ CreateTime and ExitTime timestamps are in UTC.
+
+.fam T
+.fi
+Setting the DTB
+.PP
+.nf
+.fam C
+ The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical addresses.
+ By default, a kernel DTB is used (from the Idle/System process). If you want to use a different process's DTB
+ when accessing data, supply the address to \-\-dtb=ADDRESS.
+
+.fam T
+.fi
+Setting the KDBG address (this is a Windows-only \fIoption\fP)
+.PP
+.nf
+.fam C
+ Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and a series of sanity
+ checks. These signatures are not critical for the operating system to function properly, thus malware can overwrite
+ them in attempt to throw off tools that do rely on the signature. Additionally, in some cases there may be more
+ than one '_KDDEBUGGER_DATA64' (for example if you apply a major OS update and don't reboot), which can cause confusion
+ and lead to incorrect process and module listings, among other problems. If you know the address
+ add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated scans. For more
+ information, see the kdbgscan plugin.
+
+.fam T
+.fi
+Setting the KPCR address (this is a Windows-only \fIoption\fP)
+.PP
+.nf
+.fam C
+ There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility plugins display
+ per-processor information. Thus if you want to display data for a specific CPU, for example CPU 3 instead of
+ CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS. To locate the KPCRs for all CPUs, see
+ the kpcrscan plugin. Also note that starting in Volatility 2.2, many of the plugins such as idt and gdt
+ automatically iterate through the list of KPCRs.
+
+.fam T
+.fi
+Enabling write support
+.PP
+.nf
+.fam C
+ Write support in Volatility should be used with caution. Therefore, to actually enable it, you must not only type
+ \-\-write on command-line but you must type a 'password' in response to a question that you'll be prompted with.
+ In most cases you will not want to use write support since it can lead to corruption or modification of data in
+ your memory dump. However, special cases exist that make this feature really interesting. For example, you could
+ cleanse a live system of certain malware by writing to RAM over firewire, or you could break into a locked workstation
+ by patching bytes in the winlogon DLLs.
+
+.fam T
+.fi
+Specifying additional \fIplugin\fP directories
+.PP
+.nf
+.fam C
+ Volatility's plugin architecture can load plugin files from multiple directories at once. In the Volatility source
+ code, most plugins are located in volatility/plugins. However, there is another directory (volatility/contrib)
+ which is reserved for contributions from third party developers, or weakly supported plugins that simply aren't
+ enabled by default. To access these plugins you just type \-\-plugins=contrib/plugins on command-line. It also enables
+ you to create a separate directory of your own plugins that you can manage without having to add/remove/modify files
+ in the core Volatility directories.
+
+.fam T
+.fi
+Notes:
+.PP
+.nf
+.fam C
+ On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
+
+ Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty) within them.
+
+ The parameter to \-\-plugins can also be a zip file containing the plugins such as \-\-plugins=myplugins.zip.
+ Due to the way plugins are loaded, the external plugins directory or zip file must be specified before any
+ plugin-specific arguments (including the name of the plugin). Example:
+
+.nf
+.fam C
+ $ volatility \-\-plugins=contrib/plugins \-f XPSP3x86.vmem example
+
+.fam T
+.fi
+Choosing an output format
+.PP
+.nf
+.fam C
+ By default, plugins use text renderers to standard output. If you want to redirect to a file, you can of course
+ use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt. The reason you can also
+ choose \-\-output=FORMAT is for allowing plugins to also render output as HTML, JSON, SQL, or whatever you choose.
+ However, there are no plugins with those alternate output formats pre-configured for use, so you'll need to add
+ a function named render_html, render_json, render_sql, respectively to each plugin before using \-\-output=HTML.
+
+.fam T
+.fi
+Plugin specific options
+.PP
+.nf
+.fam C
+ Many plugins accept arguments of their own, which are independent of the global options. To see the list of
+ available options, type both the plugin name and \-h/--help on command-line.
+
+.nf
+.fam C
+ $ volatility dlllist \-h
+
+.fam T
+.fi
+Debug mode
+.PP
+.nf
+.fam C
+ If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
+ This will enable the printing of debug messages to standard error. To more debug levels, as in using
+ pdb debugger), add \-d \-d \-d to command.
+
+.fam T
+.fi
+Using Volatility as a library
+.PP
+.nf
+.fam C
+ Although its possible to use Volatility as a library, (there are plans to support it better in the future).
+ Currently, to import Volatility from a python script, the following example code can be used:
+
+.nf
+.fam C
+ $ python
+ >>> import volatility.conf as conf
+ >>> import volatility.registry as registry
+ >>> registry.PluginImporter()
+ <volatility.registry.PluginImporter object at 0x7f9608f3ac10>
+ >>> config = conf.ConfObject()
+ >>> import volatility.commands as commands
+ >>> import volatility.addrspace as addrspace
+ >>> registry.register_global_options(config, commands.Command)
+ >>> registry.register_global_options(config, addrspace.BaseAddressSpace)
+ >>> config.parse_options()
+ >>> config.PROFILE="WinXPSP2x86"
+ >>> config.LOCATION = "file:///media/memory/private/image.dmp"
+ >>> import volatility.plugins.taskmods as taskmods
+ >>> p = taskmods.PSList(config)
+ >>> for process in p.calculate():
+ \.\.\. print process
+
+.fam T
+.fi
+.SH EXAMPLES
+To see all available plugins, profiles, scanner checks and address spaces:
+.PP
+.nf
+.fam C
+ $ volatility \-\-info
+
+.fam T
+.fi
+To list all active processes found in a MS Windows 8 SP0 \fIimage\fP:
+.PP
+.nf
+.fam C
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist
+
+.fam T
+.fi
+To list all active processes found in a MS Windows 8 SP0 \fIimage\fP, using a timezone:
+.PP
+.nf
+.fam C
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist \-\-tz=America/Sao_Paulo
+
+.fam T
+.fi
+To show the kernel bnuffer from a Linux 3.2.63 \fIimage\fP:
+.PP
+.nf
+.fam C
+ $ volatility \-f mem.dd \-\-profile=Linux_3_2_63_x64 linux_dmesg
+
+.fam T
+.fi
+.SH NOTES
+This manpage was based in some tests and several official documents about Volatility.
+For other information and tutorials, see:
+.IP \(bu 3
+http://www.volatilityfoundation.org
+.IP \(bu 3
- https://code.google.com/p/\fBvolatility\fP/wiki
- .IP \(bu 3
+https://github.com/volatilityfoundation/\fBvolatility\fP/wiki
+.SH AUTHOR
+Volatility was written by Volatility Foundation and several contributors. For contact, use the email <info at volatilityfoundation.org>.
+.PP
+This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --cc debian/manpage/volatility.txt
index 7aed609,0000000..9405f02
mode 100644,000000..100644
--- a/debian/manpage/volatility.txt
+++ b/debian/manpage/volatility.txt
@@@ -1,287 -1,0 +1,293 @@@
+NAME
+ volatility - advanced memory forensics framework
+
+SYNOPSIS
+ volatility [option]
+ volatility -f [image] --profile=[profile] [plugin]
+
+DESCRIPTION
+ The Volatility Framework is a completely open collection of tools for the
+ extraction of digital artifacts from volatile memory (RAM) samples. It is
+ useful in forensics analysis. The extraction techniques are performed
+ completely independent of the system being investigated but offer
+ unprecedented visibility into the runtime state of the system.
+
- Currently, Volatility (version 2.4) supports several versions of the
++ Currently, Volatility (version 2.6-pre) supports several versions of the
+ MS Windows, Linux and MAC OSX:
+
++ * 32- and 64-bit Windows 10
+ * 64-bit Windows Server 2012 and 2012 R2
+ * 32- and 64-bit Windows 8 and 8.1
+ * 32- and 64-bit Windows 7 (all service packs)
+ * 32- and 64-bit Windows Server 2008 (all service packs)
+ * 64-bit Windows Server 2008 R2 (all service packs)
++ * 32- and 64-bit Windows Server 2008 (all service packs)
+ * 32- and 64-bit Windows Vista (all service packs)
+ * 32- and 64-bit Windows Server 2003 (all service packs)
+ * 32- and 64-bit Windows XP (SP2 and SP3)
+ * 32- and 64-bit Linux kernels from 2.6.11 to 3.16
+ * 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
+ * 32- and 64-bit 10.6.x Snow Leopard
+ * 32- and 64-bit 10.7.x Lion
+ * 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
+ * 64-bit 10.9.x Mavericks (there is no 32-bit version)
+
+ The memory formats supported are:
+
+ * Raw/Padded Physical Memory
+ * Firewire (IEEE 1394)
+ * Expert Witness (EWF)
+ * 32- and 64-bit Windows Crash Dump
+ * 32- and 64-bit Windows Hibernation
+ * 32- and 64-bit MachO files
+ * Virtualbox Core Dumps
+ * VMware Saved State (.vmss) and Snapshot (.vmsn)
+ * HPAK Format (FastDump)
+ * QEMU memory dumps
+
+ The supported address spaces (RAM types) are:
+
+ * AMD64PagedMemory - Standard AMD 64-bit address space.
+ * ArmAddressSpace - No docs.
+ * FileAddressSpace - This is a direct file AS.
+ * HPAKAddressSpace - This AS supports the HPAK format.
+ * IA32PagedMemory - Standard IA-32 paging address space.
+ * IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible.
+ * LimeAddressSpace - Address space for Lime.
+ * MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader.
+ * OSXPmemELF - This AS supports VirtualBox ELF64 coredump format.
+ * QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format.
+ * VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files.
+ * VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata.
+ * VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format.
++ * Win10AMD64PagedMemory - Windows 10-specific AMD 64-bit address space.
++ * WindowsAMD64PagedMemory - Windows-specific AMD 64-bit address space.
+ * WindowsCrashDumpSpace32 - This AS supports Windows Crash Dump format.
+ * WindowsCrashDumpSpace64 - This AS supports Windows Crash Dump format.
+ * WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format.
+ * WindowsHiberFileSpace32 - This is a hibernate address space for Windows hibernation files.
+
+ There are RAM images for tests at https://code.google.com/p/volatility/wiki/SampleMemoryImages
+ or at https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples.
+
+OPTIONS
+ -h, --help List all available options and their default values.
+ Default values may be set in the configuration file (/etc/volatilityrc).
+ --conf-file=/root/.volatilityrc User based configuration file.
+ -d, --debug Debug Volatility.
+ --plugins=PLUGINS Additional plugin directories to use (colon separated).
+ --info Print information about all registered objects.
+ --cache-directory=/root/.cache/volatility Directory where cache files are stored.
+ --cache Use caching.
+ --tz=TZ Sets the timezone for displaying timestamps.
+ -f FILENAME, --filename=FILENAME Filename to use when opening an image.
+ --profile=WinXPSP2x86 Name of the profile to load.
+ -l LOCATION, --location=LOCATION An URN location from which to load an address space.
+ -w, --write Enable write support.
+ --dtb=DTB DTB Address.
+ --shift=SHIFT Mac KASLR shift address.
+ --output=text Output in this format (format support is module specific).
+ --output-file=OUTPUT_FILE Write output in this file.
+ -v, --verbose Verbose information.
+ -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address.
+ -k KPCR, --kpcr=KPCR Specify a specific KPCR address.
++ --force Force utilization of suspect profile.
++ --cookie=COOKIE Specify the address of nt!ObHeaderCookie (valid for
++ Windows 10 only).
+
+PLUGINS AND PROFILES
+ The supported plugin commands and profiles can be viewed if using the command '$ volatility --info'.
+ Note that Linux and MAC OSX allowed plugins will have the 'linux_' and 'mac_' prefixes. Plugins without
+ these prefixes were designed for MS Windows.
+
+ Profiles are maps used by Volatility to understand the operational systems. The allowed MS Windows
+ profiles are provided by the Volatility.
+
+ You must create your own profiles for Linux and MAC OSX. For this, on Debian systems,
+ read the README.Debian file provided by volatility-tools package.
+
+ On MS Windows, to determine the OS type, you can use:
+
+ $ volatility \-f <image> imageinfo
+
+ or
+
+ $ volatility \-f <image> kdbgscan
+
+ENVIRONMENT VARIABLES
+ On a GNU/Linux or OS X system, these variables can be set:
+
+ * VOLATILITY_PROFILE - Specifies a profile to be used as default, making unnecessary a '--profile' option.
+ * VOLATILITY_LOCATION - Specifies the path of an image. So, the Volatility command will not need a file name via '-f' option.
+ * VOLATILITY_KDBG - Specifies a KDBG address. See EXTRA PROCEDURES to more details.
+
+ Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+ variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+ flag name remains the same when adding it to the configuration file.
+
+ If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+ (e.g. LOCATION=file:///tmp/my%20image.img).
+
+ Example:
+
+ $ export VOLATILITY_PROFILE=Win7SP0x86
+ $ export VOLATILITY_LOCATION=file:///tmp/myimage.img
+ $ export VOLATILITY_KDBG=0x82944c28
+
+CONFIGURATION FILES
+ Configuration files are typically 'volatilityrc' in the current directory or '~/.volatilityrc' in
+ user's home directory, or at user specified path, using the --conf-file option. An example of the
+ file contents is shown below:
+
+ [DEFAULT]
+ PROFILE=Win7SP0x86
+ LOCATION=file:///tmp/myimage.img
+ KDBG=0x82944c28
+
+ Other plugin flags may be utilized in this way, for example KPCR, DTB or PLUGINS. When exporting
+ variables, simply prefix VOLATILITY_ before the flag name (e.g. VOLATILITY_KPCR). Otherwise, the
+ flag name remains the same when adding it to the configuration file.
+
+ If you have a path with a space or more in the name, spaces should be replaced with %20 instead
+ (e.g. LOCATION=file:///tmp/my%20image.img).
+
+EXTRA PROCEDURES
+ Setting a timezone
+
+ Timestamps extracted from memory can either be in system-local time, or in Universal Time
+ Coordinates (UTC). If they're in UTC, Volatility can be instructed to display them in a time zone
+ of the analyst's choosing. To choose a timezone, use one of the standard timezone names
+ (such as America/Sao_Paulo, Europe/London, US/Eastern or most Olson timezones) with the \-\-tz=TIMEZONE flag.
+
+ Volatility attempts to use pytz if installed, otherwise it uses tzset.
+
+ Please note that specifying a timezone will not affect how system-local times are displayed. If you identify
+ a time that you know is UTC-based, please file it as an issue in the issue tracker. By default the _EPROCESS
+ CreateTime and ExitTime timestamps are in UTC.
+
+ Setting the DTB
+
+ The DTB (Directory Table Base) is what Volatility uses to translate virtual addresses to physical addresses.
+ By default, a kernel DTB is used (from the Idle/System process). If you want to use a different process's DTB
+ when accessing data, supply the address to \-\-dtb=ADDRESS.
+
+ Setting the KDBG address (this is a Windows-only option)
+
+ Volatility scans for the '_KDDEBUGGER_DATA64' structure using hard-coded signatures "KDBG" and a series of sanity
+ checks. These signatures are not critical for the operating system to function properly, thus malware can overwrite
+ them in attempt to throw off tools that do rely on the signature. Additionally, in some cases there may be more
+ than one '_KDDEBUGGER_DATA64' (for example if you apply a major OS update and don't reboot), which can cause confusion
+ and lead to incorrect process and module listings, among other problems. If you know the address
+ add '_KDDEBUGGER_DATA64', you can specify it with \-\-kdbg=ADDRESS and this override the automated scans. For more
+ information, see the kdbgscan plugin.
+
+ Setting the KPCR address (this is a Windows-only option)
+
+ There is one KPCR (Kernel Processor Control Region) for each CPU on a system. Some Volatility plugins display
+ per-processor information. Thus if you want to display data for a specific CPU, for example CPU 3 instead of
+ CPU 1, you can pass the address of that CPU's KPCR with \-\-kpcr=ADDRESS. To locate the KPCRs for all CPUs, see
+ the kpcrscan plugin. Also note that starting in Volatility 2.2, many of the plugins such as idt and gdt
+ automatically iterate through the list of KPCRs.
+
+ Enabling write support
+
+ Write support in Volatility should be used with caution. Therefore, to actually enable it, you must not only type
+ \-\-write on command-line but you must type a 'password' in response to a question that you'll be prompted with.
+ In most cases you will not want to use write support since it can lead to corruption or modification of data in
+ your memory dump. However, special cases exist that make this feature really interesting. For example, you could
+ cleanse a live system of certain malware by writing to RAM over firewire, or you could break into a locked workstation
+ by patching bytes in the winlogon DLLs.
+
+ Specifying additional plugin directories
+
+ Volatility's plugin architecture can load plugin files from multiple directories at once. In the Volatility source
+ code, most plugins are located in volatility/plugins. However, there is another directory (volatility/contrib)
+ which is reserved for contributions from third party developers, or weakly supported plugins that simply aren't
+ enabled by default. To access these plugins you just type \-\-plugins=contrib/plugins on command-line. It also enables
+ you to create a separate directory of your own plugins that you can manage without having to add/remove/modify files
+ in the core Volatility directories.
+
+ Notes:
+
+ On Debian systems, the contrib/plugins directory is at /usr/share/volatility/contrib/plugins.
+
+ Subdirectories will also be traversed as long as there is an __init__.py file (which can be empty) within them.
+
+ The parameter to \-\-plugins can also be a zip file containing the plugins such as \-\-plugins=myplugins.zip.
+ Due to the way plugins are loaded, the external plugins directory or zip file must be specified before any
+ plugin-specific arguments (including the name of the plugin). Example:
+
+ $ volatility \-\-plugins=contrib/plugins \-f XPSP3x86.vmem example
+
+ Choosing an output format
+
+ By default, plugins use text renderers to standard output. If you want to redirect to a file, you can of course
+ use the console's redirection (i.e. > out.txt) or you could use \-\-output-file=out.txt. The reason you can also
+ choose \-\-output=FORMAT is for allowing plugins to also render output as HTML, JSON, SQL, or whatever you choose.
+ However, there are no plugins with those alternate output formats pre-configured for use, so you'll need to add
+ a function named render_html, render_json, render_sql, respectively to each plugin before using \-\-output=HTML.
+
+ Plugin specific options
+
+ Many plugins accept arguments of their own, which are independent of the global options. To see the list of
+ available options, type both the plugin name and \-h/--help on command-line.
+
+ $ volatility dlllist \-h
+
+ Debug mode
+
+ If something isn't happening in Volatility the expected way, try to run the command with \-d/\-\-debug.
+ This will enable the printing of debug messages to standard error. To more debug levels, as in using
+ pdb debugger), add \-d \-d \-d to command.
+
+ Using Volatility as a library
+
+ Although its possible to use Volatility as a library, (there are plans to support it better in the future).
+ Currently, to import Volatility from a python script, the following example code can be used:
+
+ $ python
+ >>> import volatility.conf as conf
+ >>> import volatility.registry as registry
+ >>> registry.PluginImporter()
+ <volatility.registry.PluginImporter object at 0x7f9608f3ac10>
+ >>> config = conf.ConfObject()
+ >>> import volatility.commands as commands
+ >>> import volatility.addrspace as addrspace
+ >>> registry.register_global_options(config, commands.Command)
+ >>> registry.register_global_options(config, addrspace.BaseAddressSpace)
+ >>> config.parse_options()
+ >>> config.PROFILE="WinXPSP2x86"
+ >>> config.LOCATION = "file:///media/memory/private/image.dmp"
+ >>> import volatility.plugins.taskmods as taskmods
+ >>> p = taskmods.PSList(config)
+ >>> for process in p.calculate():
+ ... print process
+
+EXAMPLES
+ To see all available plugins, profiles, scanner checks and address spaces:
+
+ $ volatility \-\-info
+
+ To list all active processes found in a MS Windows 8 SP0 image:
+
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist
+
+ To list all active processes found in a MS Windows 8 SP0 image, using a timezone:
+
+ $ volatility \-f win8.raw \-\-profile=Win8SP0x86 pslist \-\-tz=America/Sao_Paulo
+
+ To show the kernel bnuffer from a Linux 3.2.63 image:
+
+ $ volatility \-f mem.dd \-\-profile=Linux_3_2_63_x64 linux_dmesg
+
+NOTES
+ This manpage was based in some tests and several official documents about Volatility.
+ For other information and tutorials, see:
+
+ * http://www.volatilityfoundation.org
- * https://code.google.com/p/volatility/wiki
+ * https://github.com/volatilityfoundation/volatility/wiki
+
+AUTHOR
+ Volatility was written by Volatility Foundation and several contributors. For contact, use the email <info at volatilityfoundation.org>.
+
+ This manual page was written by Joao Eriberto Mota Filho <eriberto at debian.org> for the Debian project (but may be used by others).
diff --cc debian/patches/10_python-macos-interpreter.patch
index 0000000,0000000..85fff4d
new file mode 100644
--- /dev/null
+++ b/debian/patches/10_python-macos-interpreter.patch
@@@ -1,0 -1,0 +1,13 @@@
++Description: provides a interpreter for MacOS.
++Author: Joao Eriberto Mota Filho <eriberto at debian.org>
++Last-Update: 2016-10-23
++Index: volatility-2.5+git20161021.19d1211/tools/mac/convert.py
++===================================================================
++--- volatility-2.5+git20161021.19d1211.orig/tools/mac/convert.py
+++++ volatility-2.5+git20161021.19d1211/tools/mac/convert.py
++@@ -1,3 +1,5 @@
+++#!/usr/bin/python
+++
++ import os, sys, re
++
++ class DWARFParser(object):
diff --cc debian/patches/series
index 0000000,0000000..22c50ba
new file mode 100644
--- /dev/null
+++ b/debian/patches/series
@@@ -1,0 -1,0 +1,1 @@@
++10_python-macos-interpreter.patch
diff --cc debian/rules
index 3bc0b69,0000000..4142155
mode 100755,000000..100755
--- a/debian/rules
+++ b/debian/rules
@@@ -1,17 -1,0 +1,14 @@@
+#!/usr/bin/make -f
+#export DH_VERBOSE=1
+
+%:
- dh $@ --parallel --with python2
++ dh $@ --with python2
++
++override_dh_auto_clean:
++ dh_auto_clean
++ rm -rf volatility.egg-info
+
+override_dh_auto_install:
+ python setup.py install --root=debian/tmp --install-layout=deb \
+ --install-scripts=/usr/share/volatility \
+ --install-data=/usr/share/volatility
-
- # Recommended line:
- override_dh_auto_build:
-
- override_dh_auto_clean:
- dh_auto_clean
- rm -rf volatility.egg-info
diff --cc debian/source/lintian-overrides
index 0000000,0000000..f42d574
new file mode 100644
--- /dev/null
+++ b/debian/source/lintian-overrides
@@@ -1,0 -1,0 +1,4 @@@
++# This is the source code. However, the lines are very long and lintian was
++# lost. Reported to upstream. https://github.com/volatilityfoundation/volatility/issues/343
++
++volatility source: source-is-missing tools/doxygen/d3/d3.js line length is 32018 characters (>512)
diff --cc debian/volatility-tools.README.Debian
index 89db11d,0000000..fdc3ea1
mode 100644,000000..100644
--- a/debian/volatility-tools.README.Debian
+++ b/debian/volatility-tools.README.Debian
@@@ -1,25 -1,0 +1,25 @@@
+volatility-tools for Debian
+---------------------------
+
+To generate a profile to a Linux version, follow these steps:
+
+1. Log in a system that is using the target kernel (you can make it in any
+ machine running the desired kernel).
+2. Install gcc, make, zip and the linux-headers-(?) packages.
+3. Go to /usr/src/volatility-tools/linux.
+4. Run 'make' command.
- 5. Run 'zip profile-name-to-use.zip module.dwarf /boot/System.map-(?)'
++5. Run 'zip _profile-name-to-use_.zip module.dwarf /boot/System.map-(?)'
+6. Copy the zip file to volatility profiles folder. Use the
+ 'dpkg -L volatility' command to find the folder. Generally at
+ /usr/lib/pythonVERSION/dist-packages/volatility/plugins/overlays/linux/,
+ where VERSION is a python version.
+7. Use the command 'volatility --info | grep Linux' to see if the new profile
+ was recognised.
+
+PS: in commands, (?) must be replaced by the right option.
+
+To see more about profiles, go to
- https://code.google.com/p/volatility/wiki/LinuxMemoryForensics
++https://github.com/volatilityfoundation/volatility/wiki/Linux
+
+ -- Joao Eriberto Mota Filho <eriberto at debian.org> Tue, 07 Jan 2014 16:52:30 -0200,
- Updated at Mon, 21 Sep 2014 11:57:00 -0300.
++ Updated at Sun, 22 Oct 2016 13:55:00 -0200.
diff --cc debian/watch
index 98533e2,0000000..602fa5d
mode 100644,000000..100644
--- a/debian/watch
+++ b/debian/watch
@@@ -1,2 -1,0 +1,3 @@@
+version=4
++opts=dversionmangle=s/\+git20161021\.19d1211// \
+https://github.com/volatilityfoundation/volatility/releases .*/archive/v?(\d\S+)\.tar\.(?:bz2|gz|xz)
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/volatility.git
More information about the forensics-changes
mailing list