I am trying to use printkey against a Windows XP image and keep getting an
error when I use printkey. I have also provided the commands I used for
hivescan and hivelist which work great but printkey does not. Does anyone
have any suggestions as to why. I initially thought it was because it was
SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that was
suggested to use in Brendan's guide but I get the same results. Anyone have
any thoughts as to why???
Mark Morgan
702-942-2556
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
Offset (hex)
181006344 0xac9f008
181033824 0xaca5b60
189972488 0xb52c008
202671368 0xc148508
544586592 0x2075bb60
642878304 0x26518b60
643895304 0x26611008
678736920 0x2874b418
740933640 0x2c29c008
742706016 0x2c44cb60
789179232 0x2f09eb60
798029088 0x2f90f520
1107776776 0x42075508
1874516240 0x6fbad910
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008
Address Name
0xe6348910 \Documents and Settings\144553\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
0xe8287508 \WINDOWS\system32\config\systemprofile\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1895520 \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
0xe1396008 \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
0xe4f8eb60 \WINDOWS\system32\config\SAM
0xe77b9b60 \WINDOWS\system32\config\SECURITY
0xe77cd008 \WINDOWS\system32\config\SOFTWARE
0xe77ca418 \WINDOWS\system32\config\DEFAULT
0xe18b6008 [no name]
0xe1035b60 \WINDOWS\system32\config\SYSTEM
0xe102e008 [no name]
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60
Key name: [9252] (Stable)
Last updated: Wed Jul 29 02:08:26 2009
Subkeys:
Traceback (most recent call last):
File "./volatility", line 219, in <module>
main()
File "./volatility", line 215, in main
command.execute()
File "memory_plugins/registry/printkey.py", line 97, in execute
for s in subkeys(key):
File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py", line
144, in subkeys
s.is_valid() and s.Signature == NK_SIG]
AttributeError: 'int' object has no attribute 'is_valid'
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
Image Type: Service Pack 3
VM Type: pae
DTB: 0x33e000
Datetime: Tue Aug 04 11:02:35 2009
Dear developers,
I would like to work on the memory forensics of Linux and I know many
researchers
have written plug-ins for volatility framework. I 'd appreciate anyone
who provides me with
information about them, especially plug-ins for Linux. I am going to
write some ones,
so your kindness would help me save a lot of time.
Thanks a lot.
Yuhang Gao
When running dmp2raw on a small (256MB) Windows crash dump, I get the
following:
Traceback (most recent call
last):
| Time Remaining: --:--:--
File "volatility", line 219, in <module>
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/root/memory_analysis/Volatility-1.3_Beta/vmodules.py", line 62, in
execute
self.cmd_execute(module, args)
File "/root/memory_analysis/Volatility-1.3_Beta/vmodules.py", line 1746,
in dmp2raw
crash_to_dd(flat_address_space, types, opts.outfile)
File
"/root/memory_analysis/Volatility-1.3_Beta/forensics/win32/crashdump.py",
line 721, in crash_to_dd
for j in xrange(0, PageCount*0x1000, 0x1000):
OverflowError: long int too large to convert to int
dmpchk gives me the following info about this file:
DUMP_HEADER32:
MajorVersion 0x0000000f
MinorVersion 0x00001772
KdSecondaryVersion 0x00000041
DirectoryTableBase 0x00122000
PfnDataBase 0x83200000
PsLoadedModuleList 0x81f5fc70
PsActiveProcessHead 0x81f55990
MachineImageType 0x0000014c
NumberProcessors 0x00000002
BugCheckCode 0x0000007f
PaeEnabled 0x00000001
KdDebuggerDataBlock 0x81f3fc98
ProductType 0x00000001
SuiteMask 0x00000110
WriterStatus 0x45474150
Physical Memory Description:
Number of runs: 2
FileOffset Start Address Length
00001000 00001000 0009a000
0009b000 00100000 dcf4d000
dcfe7000 dd04c000
Any idea what the problem might be?
Hi Yuhang,
Welcome to the Volatility users list! While you have been pointed to
a wiki of all publicly maintained plugins, some of the Linux code may
not be so easy to find. The Linux code for the DFRWS 2008 Forensic
Challenge is located in the PyFlag repository:
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
Further details are available here:
http://volatilesystems.blogspot.com/2008/07/linux-memory-analysis-one-of-ma…
Some Linux code has been pulled into the 1.4_beta1 branch of the
Volatility SVN repository which you can browse at the following:
http://code.google.com/p/volatility/source/browse/#svn/branches/Volatility-…
or download:
svn checkout http://volatility.googlecode.com/svn/branches/Volatility-1.4_beta1/
volatility
This branch may not be stable, but you can have a look at the Linux
plugins. If you need more help feel free to visit the #volatility
channel on freenode (IRC).
All the best,
-Jamie
> Date: Fri, 1 Jan 2010 20:08:32 +0800
> From: yuhang gao <rainman1919(a)gmail.com>
> Subject: [Vol-users] Need help: Can anyone provide information about
> plug-ins for volatility framework, especially used for Linux
> To: vol-users(a)volatilityfoundation.org
>
> Dear developers,
> I would like to work on the memory forensics of Linux and I know many
> researchers
> have written plug-ins for volatility framework. I 'd appreciate anyone
> who provides me with
> information about them, especially plug-ins for Linux. I am going to
> write some ones,
> so your kindness would help me save a lot of time.
> Thanks a lot.
> Yuhang Gao
