I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique pour des instructions.
Dear all,
I am Andri Heriyanto. I am just starting to use Volatility as the tools
for analyzing the memory. I am using Python-2.7.3 and already installed
Volatility ver 2.1 on both OS: Windows 7 64-bit and Linux Ubuntu 12.04 LTS
32-bit, unfortunately I could not resolve the problem on pycrypto.
Especially on the Linux Ubuntu 12.04 LTS, there is always a notification
of an error like this:
ERROR : root : code for hash sha224 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha224
ERROR : root : code for hash sha256 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha256
ERROR : root : code for hash sha384 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha384
ERROR : root : code for hash sha512 was not found.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/hashlib.py", line 139, in <module>
globals()[__func_name] = __get_hash(__func_name)
File "/usr/local/lib/python2.7/hashlib.py", line 91, in
__get_builtin_constructor
raise ValueError('unsupported hash type %s' % name)
ValueError: unsupported hash type sha512
Sorry for my simple question, but I've tried googling to sort this things
out, but I still could not solve it.
Thank you very much in advance for any support and suggestion.
Cheers
https://code.google.com/p/volatility/
We are very excited to announce the official release of Volatility 2.1!
While the main goal of this release was to get x64 support into an
official release, we also sneaked in a number of interesting new
capabilities! Highlights of this release include:
New Address Spaces (AMD64PagedMemory, WindowsCrashDumpSpace64)
Majority of Existing Plugins Updated with x64 Support
Merged Malware Plugins into Volatility Core with Preliminary x64 Support (see FeaturesByPlugin21)
WindowsHiberFileSpace32 Overhaul (also includes x64 Support)
Expanded Operating System Profiles:
Windows XP SP1, SP2 and SP3 x86
Windows XP SP1 and SP2 x64 (there is no SP3 x64)
Windows Server 2003 SP0, SP1, and SP2 x86
Windows Server 2003 SP1 and SP2 x64 (there is no SP0 x64)
Windows Vista SP0, SP1, and SP2 x86
Windows Vista SP0, SP1, and SP2 x64
Windows Server 2008 SP1 and SP2 x86 (there is no SP0)
Windows Server 2008 SP1 and SP2 x64 (there is no SP0)
Windows Server 2008 R2 SP0 and SP1 x64
Windows 7 SP0 and SP1 x86
Windows 7 SP0 and SP1 x64
Plugin Additions (Now Over 70+ Analysis Plugins!):
Printing Process Environment Variables (envvars)
Inspecting the Shim Cache (shimcache)
Profiling Command History and Console Usage (cmdscan, consoles)
Converting x86 and x64 Raw Dumps to MS CrashDump (raw2dmp)
Plugin Enhancements:
Verbose details for kdbgscan and kpcrscan
idt/gdt/timers plugins cycle automatically for each CPU
apihooks detects LSP/winsock procedure tables
New Output Formatting Support (Table Rendering)
New Mechanism for Profile Modifications
New Registry API Support
New Volshell Commands
Updated Documentation and Command Reference
In particular, I also wanted to take this opportunity to recognize those
on the development team who helped push to make this release possible:
Mike Auty, Andrew Case, Michael Cohen, Michael Hale Ligh, and Jamie Levy.
These are the people who make a number of sacrifices in their own personal
lives to continue to bring you the most advanced memory forensics
framework in the world! If you appreciate the hard work they put into
Volatility, I encourage you to Support Open Source Forensics Developers
(SOSFD). Finally, shoutz to the Volatility Community for their continued
support and feedback!
As an added bonus, we will also be releasing Volatility 2.2 at the Open
Memory Forensics Workshop 2012 on October 2. This will be your only
opportunity to learn about all the new features in 2.1 and 2.2 from the
actual Volatility development team. Please register early. Seats are
filling up fast!
The Volatility Project
This may just be an "aspect" of the Windows version.
Win7, Python 2.7.3, Volatility 2.1 RC3.
After receiving MLH's direction on getting "conf-file" to work on
Windows, I set the profile and location in my conf file.
Works fine:
python <pathTo>\vol.py --conf-file="<my conf file>"
--plugins="<pathToMyPlugins>" someSillyPlugin
Does NOT work:
python <pathTo>\vol.py --plugins="<pathToMyPlugins>"
--conf-file="<my conf file>" someSillyPlugin
The error:
__main__ : Please specify a location (-l) or filename (-f)
I don't know if this is also true on non-Windows systems.
Skippy
