On 2013-04-12 15:24, Carl Pulley wrote:
> Hi James,
> you'll be able to do this using the dumpfiles plugin (it
> reconstructs the memory view of the on disk file system using the
> shared cache). I understand that this will be released with the
> Volatility 2.3 release.
>
> All the best,
>
> Carl.
Ah...guess I am out of luck until then...thank you!
James
On 2013-04-12 15:59, Michael Cohen wrote:
> you can try to install pytz :-)
>
> for example on ubuntu the package is called python-tz:
>
> apt-get install python-tz
>
> on windows you need to get pip or easy install then
>
> pip install pytz
>
> Or you can try the windows binary from the downloads section because
> it has no required dependencies.
>
> Michael.
Heh..always so easy :) Thanks...it's flying now. Last thing I think I
need is plugins...here's what the TP responds with:
subcommands:
The following plugins can be selected.
Plugin
dis Disassemble the given address space.
dt Print a symbol.
dump Hexdump an object or memory location.
grep Search an address space for keywords.
guess_profile Guess the exact windows profile using
heuristics.
imagecopy Copies a physical address space out as a raw DD
image
info Print information about various subsystems.
load_as Load address spaces into the session if its not
already loaded.
null This plugin does absolutely nothing.
peinfo Print information about a PE binary.
is there a different spot do snag the plugins, or am I barking up the
wrong tree? Thanks again for all your help on this.
James
On 2013-04-12 15:44, Michael Cohen wrote:
> Note that this actually is already available in the tech preview
> edition using a slightly different mechanism (Its specific to
> registry
> hives instead of for generally cached files):
>
>
> https://volatility.googlecode.com/svn/branches/scudette/docs/user_manual.ht…
> [3]
>
> YMMV
> Michael.
Thanks Michael...I did give that a go but got:
ImportError: No module named pytz
Betting I'm missing something. Thanks again.
James
On 2013-04-12 15:43, david nardoni wrote:
> Here is a blog post that may suit your needs
>
> http://mikemachnik.com/2013/02/16/memdumpcracking/ [3]
>
> Dave Nardoni
> dnardoni(a)gmail.com [4]
>
> On Fri, Apr 12, 2013 at 2:18 PM, James Lay <jlay(a)slave-tothe-box.net
> [5]> wrote:
>
>> Hey all,
>>
>> Topic says it...any way to dump a full registry hive to disk? My
>> plan is to import the SYSTEM and SECURITY into Cain ;) Thank you.
>>
>> James
Thank you for the info...very useful!
James
Topic says it...here's what I'm looking at:
Volatile Systems Volatility Framework 2.2
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 168, in main
command = cmds[module](config)
File "/opt/volatility-2.2/volatility/plugins/malware/malfind.py",
line 347, in __init__
help = 'Match wide (unicode) strings')
File "/opt/volatility-2.2/volatility/conf.py", line 364, in
add_option
self.optparser.add_option("-{0}".format(short_option),
"--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -W/--wide: conflicting option
string(s): -W
Any hints on how to get yarascan to run? Thank you.
James
Thanks,
looking forward for your reply :)
On Wed, Mar 20, 2013 at 3:18 PM, david nardoni <dnardoni(a)gmail.com> wrote:
> I will get you all those details today, except the full snapshot. I can
> not share that
>
> Happy to run whatever you need and provide output
>
> Sent from my iPhone
>
> On Mar 20, 2013, at 3:31 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> Hi Dave,
>
> a few questions if you don't mind,
> what's the VM version (vmware has numbered versions for their file
> formats, you can usually look it up in the VM's properties)?
> could you share the output of psscan?
> what other plugins you've tried running? could you share the output?
> will it be possible to upload the VMware snapshot somewhere so i could
> look into it?
>
> Thanks,
> - Nir.
>
>
>
> On Tue, Mar 19, 2013 at 2:31 AM, david nardoni <dnardoni(a)gmail.com> wrote:
>
>> I think I have some issues with a 8+gb VMware snapshot. I can get
>> psscan and thrdscan output but no other output from other plugins.
>>
>> Any suggestions from the group on troubleshooting the image.
>>
>> Fyi I can see all the data when I view it in hbgary responder pro.
>>
>> Thanks
>>
>> Dave
>>
>> Sent from my iPhone
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.
The blog post can be found here:
http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chu…
---
Joe T. Sylve, M.S.
Co-Founder
504ENSICS Labs
www.504ensics.com | (504) 210-8270
