Decompression error with OSX memory capture, Rekall 1.7.2.rc1
51 views
Skip to first unread message
Steve
Oct 16, 2019, 3:01:48 PM10/16/19
to rekall-discuss
Hi All,
I'm getting what appear to be errors while decompressing an .aff4 OSX image. OSXPMEM did not throw any errors during acquisition. When I try to run pslist, I get:
*********************************
C:\Program Files\Rekall>rekal -f e:\Mem_Caps\memcap_osx.aff4
----------------------------------------------------------------------------
The Rekall Digital Forensic/Incident Response framework 1.7.2.rc1 (Hurricane Ridge).
The Rekall Digital Forensic/Incident Response framework 1.7.2.rc1 (Hurricane Ridge).
"We can remember it for you wholesale!"
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License.
the terms of the GNU General Public License.
See http://www.rekall-forensic.com/docs/Manual/tutorial.html to get started.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
[1] memcap_osx.aff4 12:44:19> pslist
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
C:\Program Files\Rekall\rekall\session.pyc in __getitem__(self, item)
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
C:\Program Files\Rekall\rekall\session.pyc in __getitem__(self, item)
KeyError: 'pslist'
During handling of the above exception, another exception occurred:
error Traceback (most recent call last)
C:\Program Files\Rekall\IPython\core\prefilter.pyc in prefilter_lines(self, lines, continue_prompt)
C:\Program Files\Rekall\IPython\core\prefilter.pyc in prefilter_lines(self, lines, continue_prompt)
C:\Program Files\Rekall\IPython\core\prefilter.pyc in prefilter_line(self, line, continue_prompt)
C:\Program Files\Rekall\IPython\core\prefilter.pyc in prefilter_line_info(self, line_info)
C:\Program Files\Rekall\IPython\core\prefilter.pyc in find_handler(self, line_info)
C:\Program Files\Rekall\IPython\core\prefilter.pyc in check(self, line_info)
C:\Program Files\Rekall\rekall\session.pyc in get(self, item, default)
C:\Program Files\Rekall\rekall\session.pyc in __getitem__(self, item)
C:\Program Files\Rekall\rekall\session.pyc in __getattr__(self, name)
C:\Program Files\Rekall\rekall\session.pyc in GetPluginClass(self, name)
C:\Program Files\Rekall\rekall\plugin.pyc in GetActivePlugin(self, plugin_name)
C:\Program Files\Rekall\rekall\plugin.pyc in is_active(cls, session)
C:\Program Files\Rekall\rekall\plugin.pyc in is_active(cls, session)
C:\Program Files\Rekall\rekall\session.pyc in GetParameter(self, item, default, cached)
C:\Program Files\Rekall\rekall\session.pyc in _RunParameterHook(self, name)
C:\Program Files\Rekall\rekall\plugins\modes.pyc in calculate(self)
C:\Program Files\Rekall\rekall_lib\utils.pyc in __get__(self, *args, **kwargs)
C:\Program Files\Rekall\rekall\session.pyc in profile(self)
C:\Program Files\Rekall\rekall\session.pyc in GetParameter(self, item, default, cached)
C:\Program Files\Rekall\rekall\session.pyc in _RunParameterHook(self, name)
C:\Program Files\Rekall\rekall\plugins\guess_profile.pyc in calculate(self)
C:\Program Files\Rekall\rekall\plugins\guess_profile.pyc in ScanProfiles(self)
C:\Program Files\Rekall\rekall\plugins\guess_profile.pyc in _ScanProfiles(self)
C:\Program Files\Rekall\rekall\scan.pyc in scan(self, offset, maxlen, end)
C:\Program Files\Rekall\rekall\scan.pyc in __next__(self)
C:\Program Files\Rekall\rekall\plugins\addrspaces\aff4.pyc in read(self, offset, length)
C:\Program Files\Rekall\pyaff4\aff4.pyc in read(self, length)
C:\Program Files\Rekall\pyaff4\aff4_map.pyc in Read(self, length)
C:\Program Files\Rekall\pyaff4\aff4_image.pyc in Read(self, length)
C:\Program Files\Rekall\pyaff4\aff4_image.pyc in _ReadPartial(self, chunk_id, chunks_to_read)
C:\Program Files\Rekall\pyaff4\aff4_image.pyc in _ReadChunkFromBevy(self, chunk_id, bevy)
error: Error -3 while decompressing data: incorrect header check
*********************************
*********************************
So I tried exporting the aff4 to a raw image, and got this error:
C:\Program Files\Rekall>rekal -f e:\Mem_Caps\memcap_osx.aff4 imagecopy --output-image=e:\Mem_Caps\memcap_osx.img
Range 0x0 - 0x58000
Range 0x59000 - 0x36000
Range 0x90000 - 0x10000
Range 0x100000 - 0x8ce84000
2019-10-16 12:41:45,696:CRITICAL:rekall.1:Traceback (most recent call last):
File "rekall-core\rekall\session.py", line 870, in RunPlugin
File "rekall-core\rekall\plugins\imagecopy.py", line 95, in render
File "rekall-core\rekall\addrspace.py", line 488, in read
File "rekall-core\rekall\addrspace.py", line 514, in read_partial
File "rekall-core\rekall\addrspace.py", line 501, in cached_read_partial
File "rekall-core\rekall\addrspace.py", line 589, in read
File "rekall-core\rekall\addrspace.py", line 666, in _read_chunk
File "rekall-core\rekall\plugins\addrspaces\aff4.py", line 69, in read
File "site-packages\pyaff4\aff4.py", line 266, in read
File "site-packages\pyaff4\aff4_map.py", line 251, in Read
File "site-packages\pyaff4\aff4_image.py", line 293, in Read
File "site-packages\pyaff4\aff4_image.py", line 379, in _ReadPartial
File "site-packages\pyaff4\aff4_image.py", line 414, in _ReadChunkFromBevy
zlib.error: Error -3 while decompressing data: incorrect header check
Range 0x0 - 0x58000
Range 0x59000 - 0x36000
Range 0x90000 - 0x10000
Range 0x100000 - 0x8ce84000
2019-10-16 12:41:45,696:CRITICAL:rekall.1:Traceback (most recent call last):
File "rekall-core\rekall\session.py", line 870, in RunPlugin
File "rekall-core\rekall\plugins\imagecopy.py", line 95, in render
File "rekall-core\rekall\addrspace.py", line 488, in read
File "rekall-core\rekall\addrspace.py", line 514, in read_partial
File "rekall-core\rekall\addrspace.py", line 501, in cached_read_partial
File "rekall-core\rekall\addrspace.py", line 589, in read
File "rekall-core\rekall\addrspace.py", line 666, in _read_chunk
File "rekall-core\rekall\plugins\addrspaces\aff4.py", line 69, in read
File "site-packages\pyaff4\aff4.py", line 266, in read
File "site-packages\pyaff4\aff4_map.py", line 251, in Read
File "site-packages\pyaff4\aff4_image.py", line 293, in Read
File "site-packages\pyaff4\aff4_image.py", line 379, in _ReadPartial
File "site-packages\pyaff4\aff4_image.py", line 414, in _ReadChunkFromBevy
zlib.error: Error -3 while decompressing data: incorrect header check
2019-10-16 12:41:45,696:CRITICAL:root:Error -3 while decompressing data: incorrect header check. Try --debug for more information.
Traceback (most recent call last):
File "rekal.py", line 11, in <module>
File "rekall-core\rekall\rekal.py", line 104, in main
File "rekall-core\rekall\session.py", line 873, in RunPlugin
File "rekall-core\rekall\session.py", line 870, in RunPlugin
File "rekall-core\rekall\plugins\imagecopy.py", line 95, in render
File "rekall-core\rekall\addrspace.py", line 488, in read
File "rekall-core\rekall\addrspace.py", line 514, in read_partial
File "rekall-core\rekall\addrspace.py", line 501, in cached_read_partial
File "rekall-core\rekall\addrspace.py", line 589, in read
File "rekall-core\rekall\addrspace.py", line 666, in _read_chunk
File "rekall-core\rekall\plugins\addrspaces\aff4.py", line 69, in read
File "site-packages\pyaff4\aff4.py", line 266, in read
File "site-packages\pyaff4\aff4_map.py", line 251, in Read
File "site-packages\pyaff4\aff4_image.py", line 293, in Read
File "site-packages\pyaff4\aff4_image.py", line 379, in _ReadPartial
File "site-packages\pyaff4\aff4_image.py", line 414, in _ReadChunkFromBevy
zlib.error: Error -3 while decompressing data: incorrect header check
[6588] Failed to execute script rekal
Traceback (most recent call last):
File "rekal.py", line 11, in <module>
File "rekall-core\rekall\rekal.py", line 104, in main
File "rekall-core\rekall\session.py", line 873, in RunPlugin
File "rekall-core\rekall\session.py", line 870, in RunPlugin
File "rekall-core\rekall\plugins\imagecopy.py", line 95, in render
File "rekall-core\rekall\addrspace.py", line 488, in read
File "rekall-core\rekall\addrspace.py", line 514, in read_partial
File "rekall-core\rekall\addrspace.py", line 501, in cached_read_partial
File "rekall-core\rekall\addrspace.py", line 589, in read
File "rekall-core\rekall\addrspace.py", line 666, in _read_chunk
File "rekall-core\rekall\plugins\addrspaces\aff4.py", line 69, in read
File "site-packages\pyaff4\aff4.py", line 266, in read
File "site-packages\pyaff4\aff4_map.py", line 251, in Read
File "site-packages\pyaff4\aff4_image.py", line 293, in Read
File "site-packages\pyaff4\aff4_image.py", line 379, in _ReadPartial
File "site-packages\pyaff4\aff4_image.py", line 414, in _ReadChunkFromBevy
zlib.error: Error -3 while decompressing data: incorrect header check
[6588] Failed to execute script rekal
Anyone know what this might be? Do I have a corrupt memory image?
stephen....@gmail.com
Oct 16, 2019, 3:08:20 PM10/16/19
to rekall-discuss
Additionally, I was able to capture the moment during scanning on the pslist command where the error appears to occur:
[1] memcap_osx.aff4 12:54:35> pslist
Scanning buffer 0x1ae00000->0x1b800000 (0xa00000)
Michael Cohen
Oct 16, 2019, 6:04:02 PM10/16/19
to stephen....@gmail.com, rekall-discuss
Afaik rekall does not support osx for quite a while. This error is probably because the aff4 format has evolved in a backwards incompatible way.
Maybe extract the image using osxpmem to a flat file and try volatility?
--
You received this message because you are subscribed to the Google Groups "rekall-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rekall-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rekall-discuss/d6f5e73c-319a-46c0-a335-2baf11748759%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages