A few questions
by Tim
Greetings,
This looks to be where the cool kids are hanging out these days, so I
thought I would pop in. I'm just getting familiar with Volatility, and
I think the project is a great idea. I plan on following it closely and
hope to contribute code/debugging in the future.
However, I have run in to a problem. I'm trying to get familiar with
the tools using the Windows XP images available in:
http://www.cfreds.nist.gov/mem/memory-images.rar
When I run things like:
python volatility datetime -f xp-laptop-2005-07-04-1430.img
python volatility pslist -f xp-laptop-2005-07-04-1430.img
I get the following:
Traceback (most recent call last):
File "/usr/local/src/Volatility-1.1.1/volatility", line 143, in <module>
main()
File "/usr/local/src/Volatility-1.1.1/volatility", line 139, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 54, in execute
self.cmd_execute(module, args)
File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 108, in get_datetime
(addr_space, symtab, types) = load_and_identify_image(op, opts)
File "/usr/local/src/Volatility-1.1.1/vutils.py", line 152, in load_and_identify_image
dtb = guess_dtb(filename, op)
File "/usr/local/src/Volatility-1.1.1/vutils.py", line 69, in guess_dtb
dtb = find_dtb(flat_address_space, types)
File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 104, in find_dtb
return process_dtb(addr_space, types, offset)
File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 138, in process_dtb
['_EPROCESS', 'Pcb', 'DirectoryTableBase', 0], task_vaddr)
File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 168, in read_obj
return read_value(addr_space, current_type, vaddr + offset)
File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 70, in read_value
(val, ) = struct.unpack(type_unpack_char, buf)
File "/usr/lib/python2.5/struct.py", line 87, in unpack
return o.unpack(s)
struct.error: unpack requires a string argument of length 8
Since I'm running Volatility 1.1.1, I'd guess that this may have already
been fixed in 1.2.* or 1.3.*. I've read through all of the mailing list
archives and scoured your project site, but I can't seem to find those
newer versions for download. Perhaps I'm just totally missing
something. Could someone point me in the right direction to get the
latest version? SVN or other development repository would be fine, I
don't mind messing with bleeding edge stuff.
The second reason for my post is that I'll be giving an introductory
training course on incident response and digital forensics next month,
and I had considered introducing students to volatility and other memory
analysis tools. Do you folks have suggestions as to which features of
volatility would be the best to showcase in that type of setting?
thanks,
tim
16 years, 6 months
- 2
- 3