Hi Folks,
I was recently trying to dig up a quick, easy method for
parsing Windows commandline history records out of memory dumps, and
came across a reference to Eoghan Casey's 2010 article. Extracting
Windows command line details from physical memory. When I pinged him
about the cmd_history.py Volatility plugin he wrote along with that
paper, he said he'd sent it in to the Volatility development group, and
had presumed it would be included at some point. I've been digging
around, but I can't find it. Any idea what happened to it?
Thanks
John
----------------------------------------------------------
Quis custodiet ipsos custodes?... I do!
It seems that Volatility uses a I/O packet size that's to large for my
system.
Thanks to Freddie Witherden for supporting me.
Using a small dumping application (see below) provided by Freddie I was
successfully able to dump that 2GiB of RAM.
So I transferred this thread to vol-dev.
CU
Michael
Hello all,
to test if the I/O packet size is the only problem I have adapted ieee1394.py in that way:
def read(self, addr, length):
"""Lowering packet size"""
self._device.request_size = 1024
"""Reads bytes from the specified address"""
return self._device.read(addr, length)
So there's no I/O error reported by forensic 1394 anymore but the data seems to be not mappable:
# python vol.py -l firewire://forensic1394/0 pslist
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
...
FirewireAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
I have no clue what went wrong. Any help appreciated...
CU
Michael
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone
# Simple dumping application
from forensic1394 import Bus
from time import sleep
b = Bus()
# Enable SBP-2 support for access to Linux/Windows targets
b.enable_sbp2()
# Sleep to give the bus time to reinitialise
sleep(2.0)
# Attempt to open the first attached device d = b.devices()[0]
d.open()
# If this fails, try reducing the request size
d._request_size = 512
f = open('memorydump','wb')
for addr in range(1*1024*1024,2*1024*1024*1024,1*1024*1024):
data = d.read(addr, 1*1024*1024)
f.write(data
Hello Folks,
Although already written in the vol-users list this thread belongs to the
vol-dev one:
in 1.4rc1 there was a nice feature to visualize the output of psscan in the
GraphViz-dot-format with -output=dot.
I have used it frequently to explain memory structures to non IT-Experts or
for training purposes.
Is it possible to add this feature to Version 2.0 again, please?
Many thanks in advance!
Michael
