Attached please find a patch against the SVN version of Volatility that allows the framework to work properly on big endian systems. While I know big endian systems are not the majority users, I think it's easy enough to patch. Most of the changes involve explicitly telling the decode function that the source data was from a little endian endian system. cheers, Here's the original version of the framework on a big endian system: $ python volatility ident -f xp-laptop-2005-07-04-1430.img Image Name: xp-laptop-2005-07-04-1430.img Image Type: UNKNOWN And the patched: $ python volatility ident -f memory-images/xp-laptop-2005-07-04-1430.img Image Name: xp-laptop-2005-07-04-1430.img Image Type: Service Pack 2 VM Type: nopae DTB: 0x39000 Datetime: Mon Jul 04 14:30:32 2005 -- Jesse research(a)jessekornblum.com