It seems that Volatility uses a I/O packet size that's to large for my
system.
Thanks to Freddie Witherden for supporting me.
Using a small dumping application (see below) provided by Freddie I was
successfully able to dump that 2GiB of RAM.
So I transferred this thread to vol-dev.
CU
Michael
While analyzing a memory snapshot, I saw some objects of the type
LIST_ENTRY_PTR and some of the type LIST_ENTRY. From the addresses of those
objects, it looked as if LIST_ENTRY_PTRs where the corresponding list heads
and the LIST_ENTRY's were simply the nodes in the list.
Is this correct?
--
Eknath Venkataramani
So, a ldconfig later it looks more comfortable but still it does not work:
# python vol.py -l Firewire://forensic1394/0 pslist
Volatile Systems Volatility Framework 2.1_alpha
IOError(u'forensic1394_read_device_v: Bad I/O request size',)
IOError(u'forensic1394_read_device_v: Bad I/O request size',)
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: Location is not of file scheme
EWFAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace32: Location is not of file scheme
JKIA32PagedMemory - EXCEPTION: Failed to read from firewire device
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae - EXCEPTION: Failed to read from firewire device
IA32PagedMemory: Module disabled
FirewireAddressSpace: Must be first Address Space
FileAddressSpace: Must be first Address Space
Seems the python bindings were missed in the first approach. What could cause the FW-read-error?
Regards
Michael
--
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
Hello all,
I have tried the libforensic1394 package from
https://freddie.witherden.org/tools/libforensic1394/
with Volatility. That's the result:
# python vol.py -l Firewire://forensic1394/0 pslist
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
FileAddressSpace: Location is not of file scheme
What could I have missed? I had expected to to read something about the firewire address space but neither Firewire:... nor firewire:... did work.
Regards
Michael
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone
Hey Michael,
trying to list the hooked API-calls in the zeus.vmem-image according page
666 of your "Cookbook" with Volatility 2.0 and maware.py r97 I get the
following result only:
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\zeus.vmem"
Volatile Systems Volatility Framework 2.0
Name Type Target
Value
wuauclt.exe[468](a)wuaueng.dll iat sfc.dll!*invalid*
0x0 0x76c69828 (sfc_os.dll)
Finished after 383.752000093 seconds
Did I miss something or should I use an older version of Volatility and the
malware-Plugin?
Kindest regards
Michael
I'm new to volatility and recently completed a SANS course which taught v. 1.3.
I'm trying to straighten out in my head the different sets of plugins that come with each version. It looks like v. 2.0 absorbed some older third party plugins but didn't absorb others like malfind.py and the other malware related third party plugins. Am I right here?
It appears one has to have all three versions available for different feature sets? Is this correct?
Jim
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E
Hello,
in 1.4rc1 there was a nice feature to visualize the output of psscan in the
GraphViz-dot-format with -output=dot.
I have used it frequently to explain memory structures to non IT-Experts or
for training purposes.
Is it possible to add this feature to Version 2.0 again, please?
Cu
Michael
Hi all,
In v2.0 I miss the files-command.
As a workaround I use
C:\Python27\Scripts>python vol.py handles -p 816 -f . | grep -i "File"
"files" was easier to use. Why it has gone?
Cu
Michael
The problem is solved:
I still had a 64-bit-version of PyCrypto installed, with the x(86)-version
all seems to work fine and the hashdump/lsadump-plugins appear again.
Shame on me!
CU
Michael
