volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

analysis of memory dumps is taking too long

Open hackerman008 opened this issue 5 years ago • 6 comments

i have been trying to use volatility for analyzing a memory dump of 8.6 gb of my ram but it is taking too long to even execute a image info command . so is this normal ? or if an issue what is the solution

hackerman008 avatar Jul 01 '20 09:07 hackerman008

Same case for me. I have 17gb of ram, and it takes about 2 hours.

joezbub avatar Jul 01 '20 15:07 joezbub

  1. How was memory acquired?

  2. If you just want the profile name to use, try using kdbgscan instead. imageinfo runs about 7 plugins, including kdbgscan, to generate its output.

atcuno avatar Jul 01 '20 15:07 atcuno

Yes I have the same problem. I have dumped the ram with lime on lubuntu 19.10 kernel 5.3.0-62-generic. The acquisition laptop has 1,7 gb of ram and the laptop where I analyze the dump is a quadcore with 4 gb and ssd. I fired up iotop to look the speed and it was 2,7 MB/s and just one cpu at 100%. Then to analyze a dump of 1,7GB it needed 24 minutes for just a linux_psaux. But it didn't gave me any output (I mean it gave me error) most probably because the kernel is too new or there are some problem with the profile which I downloaded from github. I remember that few years ago it was much more fast.

But I don't know which version is volatility (I used to analyze the dump) because I used that one is installed on blackarch live ditro. But the distro was released around the 6 june then I guess volatility should be pretty new.

fpusersuggest avatar Jul 08 '20 00:07 fpusersuggest

@fpusersuggest if the error you received was a large backtrace related to address spaces, then you likely have the wrong profile. Volatility took this long to backtrace as it was examining the entire memory sample in attempt to match the data structures and symbols in your profile to what was in memory.

atcuno avatar Jul 08 '20 14:07 atcuno

@atcuno my mistake, I downloaded the wrong profile, I confused the Ubuntu1910 with Ubuntu910. Then I built a new profile and I'll try with it more later.

fpusersuggest avatar Jul 09 '20 13:07 fpusersuggest

@atcuno well, I tried with the new profile and it's much more fast.. about 3 o 4 minutes. But it gave me an error. I have 5 memory dump with lime. Four are taken on the same day and the fifth on an other day. About the four, one give me no output. And three give me the following error (I copy by hand then I break the list at the pid 3) pid uid gid arguments 1 0 0 2 0 0 [kthreadd] 3 0 0 [rcu_gp] ....... 27 0 0 [writeback] WARNING : volatility.debug : NoneObject as string: Pointer cred invalid WARNING : volatility.debug : NoneObject as string: Invalid Address 0x-0000001 instantiating int 0 []

The fifth dump it break the process list at pid 29 and it give me the same error above. But in this case it needed 20 minutes of analyzing. Do you want I open a new bug ?

EDIT: I tried also with microsoft avml to dump the ram and I have the same problem I have with lime.

fpusersuggest avatar Jul 09 '20 16:07 fpusersuggest