rekall-agent-server
rekall-agent-server copied to clipboard
scudette
OSError: No upload location
When using the aff4acquire plugin in order to acquire a memory image, in whatever format I provide the URL, it fails with the above error message. What is the right syntax of the field "destination_url"?
Also, the doc says that you need a profile when you want to acquire pagefile.sys in addition. How to apply the profile?
You can get help on any plugin using the ? command:
[1] Default session 16:28:04> aff4acquire?
file: /home/mic/rekall/rekall-core/rekall/plugins/tools/aff4acquire.py
Plugin: AFF4Acquire (aff4acquire)
: This is a Typed Plugin.
Positional Args: destination: The destination file to create. (type: String)
Keyword Args:
destination_url: The destination AFF4 URL to create. (type: String)
compression: The compression to use. (type: String)
append: Append to the current volume. (type: Boolean)
also_memory: Also acquire physical memory. If not specified we acquire physical memory only when no other operation is specified. (type: Boolean)
also_mapped_files: Also get mapped or opened files (requires a profile) (type: Boolean)
also_pagefile: Also get the pagefile/swap partition (requires a profile) (type: Boolean)
files: Also acquire files matching the following globs. (type: ArrayStringParser)
max_file_size: Maximum file size to acquire. (type: IntParser)
gce_credentials: The GCE service account credentials to use. (type: String)
gce_credentials_path: A path to the GCE service account credentials to use. (type: String)
verbosity: An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)
Docstring:
Copy the physical address space to an AFF4 file.
There is a positional arg "destination" for the destination file. The destination_url is used for e.g. directly uploading to an AFF4 cloud volume but most of the time you just want to write a local file so:
[1] Live(/proc/kcore) 16:32:27> aff4acquire "/tmp/test.aff4"
------------------------------> aff4acquire("/tmp/test.aff4")
Will use compression: http://code.google.com/p/snappy/
Will load physical address space from live plugin.
Reading 7081MiB / 8136MiB 153 MiB/s
The profile will be autoselected on windows when you run in live memory mode (with --live Memory flag). With Linux you need to build the profile in advance using the instructions in tools/linux/README
I'm using the rekall-agent-server, a local dev_appserver and have a client with a rekall agent running. I've tried different variants of absolute and relative paths, both, for the client and for the rekall-agent-server since I'm not sure, what is meant by a local destination. Here is one of the error outputs when I specified a path on the windows client:
{ backtrace: Traceback (most recent call last): File "rekall-agent\rekall_agent\agent.py", line 286, in _run_flow File "rekall-agent\rekall_agent\client_actions\plugins.py", line 190, in run File "rekall-core\rekall\session.py", line 869, in RunPlugin File "rekall-core\rekall\session.py", line 866, in RunPlugin File "rekall-core\rekall\plugin.py", line 761, in render File "rekall-core\rekall\plugins\tools\aff4acquire.py", line 604, in collect File "rekall-core\rekall\plugins\tools\aff4acquire.py", line 627, in collect_acquisition File "rekall-agent\rekall_agent\client_actions\plugins.py", line 166, in open OSError: No upload location client_id: C.a8a9a1252a61bba9 current_action: { args: { also_memory: true compression: snappy destination: c:\images } collection: { location: { base: http://172.20.2.151:8081/api/control/upload path_template: collection/F.8e596720-d1d1-43/{part} } part_number: 0 } plugin: AFF4Acquire rekall_session: { autodetect: [ linux_index, osx, windows_kernel_file ] live: Memory } } error: No upload location status: Error timestamp: 1516701219.814425 2018-01-23T09:53:39.814Z } CLOSE
I receive the same error message when specifying destinations on the rekall-agent-server:
OSError: No upload location client_id: C.a8a9a1252a61bba9 current_action: { args: { also_memory: true compression: snappy destination: "tmp/test.aff4"