running Evolve in SIFT, object has no attribute 'render_sqlite'

[mozzer74]

Hi all,

Trying to get Evolve functioning in my SIFT VM. SIFT has Volatility 2.4 preinstalled, and I'm trying Evolve 1.4.2.

I am using the stuxnet.vmem sample capture and issue the following command to start evolve:

sansforensics@siftworkstation:~/Documents/evolve-master$ ./evolve.py -f /home/sansforensics/Desktop/stuxnet.vmem --p WinXPSP3x86

I can access the evolve web interface and when I click on pslist to run that plugin the console spits out the following:

running: pslist pslist: 'PSList' object has no attribute 'render_sqlite' 192.168.79.1 - - [25/Oct/2015 18:47:22] "GET /data/plugins HTTP/1.1" 200 14814

Short of ripping out volatility on the SIFT and reinstalling it, is there something else I should check?

Thanks!

-Moz

[mozzer74]

I just used a fresh install (in VM) of Ubuntu 14.04 LTS. I followed the instructions in the readme for installing Volatility 2.4 from source, then bottle, yara, distorm3, and maxminddb. Pulled down Evolve 1.4.2 and executed the same command I posted above (altered only for path to the memory capture) and received the same error. None of the plugins seem to work as they all return this same error. :(

In volatility I executed "vol.py -f ./stuxnet.vmem --profile=WinXPSP3x86 pslist" and received the pslist output as expected. Volatility itself appears to be functioning.

Thoughts?

[JamesHabben]

Can you give this another try with Volatility 2.5 now? 2.4 had some of the SQLite output in it, but not all of the modules had the rendering engine in them. Also, some of the repos don't have the latest version. downloading Volatility from GitHub will get you the latest for sure.