profiles icon indicating copy to clipboard operation
profiles copied to clipboard
verified publisher icon volatilityfoundation

Profiles not appearing after saving the zip file

Open cybercuffs opened this issue 10 years ago • 10 comments

I saved the Mac 10.10.3 profile zip file in volatility-2.4/volatility/plugins/overlays/mac but when doing vol.py --info, it is not appearing there. Did I miss anything?

cybercuffs avatar Jul 15 '15 20:07 cybercuffs

you should see one of the following when doing python vol.py --info:

MacYosemite_10_10_3_14D131x64  - A Profile for Mac Yosemite_10.10.3_14D131 x64
MacYosemite_10_10_3_14D136x64  - A Profile for Mac Yosemite_10.10.3_14D136 x64

^ do you see one of those ?

gleeda avatar Jul 17 '15 14:07 gleeda

(also make sure you are running the same vol.py where you put the profile, just in case you are not running it from within the same folder)

gleeda avatar Jul 17 '15 14:07 gleeda

Hello , I seem to have a similar problem , I copied Yosemite_10.10_14A389.zip to the volatility/plugins/overlays/mac folder but the profile does not appear ... But when I tried for example the Lion_10.7.4_Intel.zip it DOES appear in the list ! A small bug ?

TofBaasken avatar Aug 06 '15 13:08 TofBaasken

I know it works no matter from where we run the vol.py --info as I've made some linux profiles in the past. Still, I tried running it from the same folder where my profile is i.e. volatility-2.4/volatility/plugins/overlays/mac but no luck.

cybercuffs avatar Aug 25 '15 22:08 cybercuffs

I had some similar issues with overlays not being found on my systems. I found that when I added a .volatilityrc to my home directory, this helped alleviate some path issues. Here is what my config file looks like:

[DEFAULT]
plugins=/research_data/vol_profiles/

HTH.

deeso avatar Aug 25 '15 22:08 deeso

@cybercuffs did you try running it from the volatility-2.4 folder ?

gleeda avatar Aug 26 '15 01:08 gleeda

I have alias set for it so I can run from any cwd. I deleted the zip and downloaded a fresh copy and it works fine. Though the new copy is of the same size, not sure what went wrong to previous one.

cybercuffs avatar Sep 11 '15 20:09 cybercuffs

Hi, I still have problems too. It's running under debian 8.6, x86_64 and I tried with the .volatilityrc plugins path stuff but I can't get no Linux plugin id at volatility --info. (Copied the file into that folder) Any Idea?

[DEFAULT] LOCATION=/home/user/.config/volatility/plugins

h8ohmh avatar Mar 26 '17 22:03 h8ohmh

So there's an issue with your config file. First the LOCATION variable is for the memory sample, not plugins. Second, the path has to have a file:// prefix. Therefore you would have:

[DEFAULT]
LOCATION="file:///home/user/path/to/mem.dmp"

If you wanted to add the location for a plugins directory, you also have to prefix it with "file://" For example:

[DEFAULT]
LOCATION="file:///Location/to/win7.vmem"
PROFILE=Win7SP1x86
DTB=0x3f4b5160
KDBG=0x82b74c28
PLUGINS="file:///Location/to/extra/plugins/folder"

Notice that you can put any flag variable you want in the config file. If you have a file volatilityrc that can be near where you are invoking vol.py. If you are using .volatilityrc (notice the '.') then you need to make sure that it is in your home directory. Let me know if this helps and I'll close the issue.

gleeda avatar Mar 28 '17 20:03 gleeda

I too have the same problem. When I make a Linux profile in the target machine it appears when i type vol.py --info | grep Linux but when I copy the profile.zip in my investigation machine, with the same command, the profile doesn't appear.

nov3mb3r avatar Aug 17 '17 10:08 nov3mb3r