Hello, Please find attached a patch to speed up the Volatility strings command. On my slow laptop, a particular search for a single string required around 2 hours and 25 minutes. After these changes, the same search requires 35 minutes. (Measured in wall clock time.) Notable changes include: - Switched from guess-and-check style address probing (during the reverse map construction) to using get_available_pages(). On my test image, this cuts the number of vtop() calls down from 1M to something on the order of 55K for each process. This more than made up for the additional overhead of calling get_available_pages(). - The above change also eliminates a 32bit address space assumption appearing in top-level code, which I assume is a good thing. - Reduced the number of reverse_map lookups - Moved parsing of the strings input file to an earlier point in processing so users don't have to wait until the end of the job to discover they didn't specify things correctly. I can think of several other ways to make this faster and/or more memory efficient, but most require changes to the address interface (ever thought of providing a page iterator?). Also, I added a few comments for future improvements to the user interface and output. I think currently there are problems with the way that addresses appearing in large pages are reported, but I'm not 100% sure what the output is intended to mean, so I just kept it the same for now. DISCLAIMER: This is the first time I've seriously looked at the Volatility code. Please review/test it carefully before committing the changes. thanks! tim