On Tue, Jul 17, 2012 at 10:09 AM, Jesse Bowling <jessebowling@gmail.com> wrote:

I experienced one odd thing; when using the env variable VOLATILITY_LOCATION, volatility complains that "No suitable address space mapping found", however when the file is specified on the command line, all is well. Output below:

root@Forensic-1:/case2/mem# vol.py --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_rc1
Offset(P)          Name                PID   PPID PDB                Time created         Time exited
------------------ ---------------- ------ ------ ------------------ -------------------- --------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Location is not of file scheme

root@Forensic-1:/case2/mem# echo $VOLATILITY_LOCATION
/case2/mem/myimage.vmss
root@Forensic-1:/case2/mem# unset VOLATILITY_LOCATION
root@Forensic-1:/case2/mem# vol.py --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_rc1
ERROR   : __main__            : Please specify a location (-l) or filename (-f)
root@Forensic-1:/case2/mem# vol.py --dtb=0x187000 -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_rc1
Offset(P)          Name                PID   PPID PDB                Time created         Time exited
------------------ ---------------- ------ ------ ------------------ -------------------- --------------------
0x0000000006107040 System                4      0 0x0000000000187000 2012-04-12 07:14:16
0x0000000006139b30 residentagent.     1248   1132 0x0000000128a0e000 2012-04-12 07:16:03
0x00000000061ba900 msdtc.exe          2164    484 0x00000001199a8000 2012-04-12 07:16:37
<snip>

On Mon, Jul 16, 2012 at 9:45 AM, Michael Hale Ligh <michael.hale@gmail.com> wrote:

Hey everyone,

The 2.1 RC1 downloads are now available [1]. Per the usual, there are zip and tar archives of the source code, a windows module installer, and a standalone windows executable (with python and all dependencies build-in). We ask that you test vigorously over the next 2 weeks, especially with any x64 images, and let us know via the issue tracker [2] if you run into any bugs. At the end of July, we'll announce the official release of 2.1.

Also, a lot of the documentation [3] has been updated, including the FAQ, command reference, features by plugin matrix, and roadmap, so that may be a useful resource to you when using 2.1.

Thank you very much!

[1]. http://code.google.com/p/volatility/downloads/list
[2]. http://code.google.com/p/volatility/issues/list

[3]. http://code.google.com/p/volatility/w/list

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

--
Jesse Bowling