Hello all,
I have tried the libforensic1394 package from
https://freddie.witherden.org/tools/libforensic1394/
with Volatility. That's the result:
# python vol.py -l Firewire://forensic1394/0 pslist
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: Location is not of file scheme
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
FileAddressSpace: Location is not of file scheme
What could I have missed? I had expected to to read something about the firewire address space but neither Firewire:... nor firewire:... did work.
Regards
Michael
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone
Hey Michael,
trying to list the hooked API-calls in the zeus.vmem-image according page
666 of your "Cookbook" with Volatility 2.0 and maware.py r97 I get the
following result only:
C:\Python27\Scripts>python vol.py apihooks -f
"D:\X-Ways-Images\Malware\zeus.vmem"
Volatile Systems Volatility Framework 2.0
Name Type Target
Value
wuauclt.exe[468](a)wuaueng.dll iat sfc.dll!*invalid*
0x0 0x76c69828 (sfc_os.dll)
Finished after 383.752000093 seconds
Did I miss something or should I use an older version of Volatility and the
malware-Plugin?
Kindest regards
Michael
I'm new to volatility and recently completed a SANS course which taught v. 1.3.
I'm trying to straighten out in my head the different sets of plugins that come with each version. It looks like v. 2.0 absorbed some older third party plugins but didn't absorb others like malfind.py and the other malware related third party plugins. Am I right here?
It appears one has to have all three versions available for different feature sets? Is this correct?
Jim
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
%49%66%20%79%6F%75%20%63%61%6E%20%72%65%61%64%20%74%68%69%73%20%79%6F%75%20%6E%65%65%64%20%74%6F%20%67%65%74%20%61%20%67%69%72%6C%66%72%69%65%6E%64%2E
Hello,
in 1.4rc1 there was a nice feature to visualize the output of psscan in the
GraphViz-dot-format with -output=dot.
I have used it frequently to explain memory structures to non IT-Experts or
for training purposes.
Is it possible to add this feature to Version 2.0 again, please?
Cu
Michael
Hi all,
In v2.0 I miss the files-command.
As a workaround I use
C:\Python27\Scripts>python vol.py handles -p 816 -f . | grep -i "File"
"files" was easier to use. Why it has gone?
Cu
Michael
The problem is solved:
I still had a 64-bit-version of PyCrypto installed, with the x(86)-version
all seems to work fine and the hashdump/lsadump-plugins appear again.
Shame on me!
CU
Michael
Hello all,
finally I found time to test the new version 2.0. It looks great even if I
became familiar with the old structure.
I tried to use it on an 64Bit-Win7 with Python64. This seems not to work but
after installing the x(86)-architecture it does.
However when starting v2.0 with I get the following error message:
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL
load failed: %1 ist keine zulõssige Win32-Anwendung [transl.: %1 is no valid
win32 application]
What went wrong?
Regards
Michael
Mike - thanks so much for replying
***************************************************************************************************
This is the terminal output for the lipo commands:
qbl-mbp:~ qubyte$ lipo -info /usr/local/lib/libewf.dylib
Non-fat file: /usr/local/lib/libewf.dylib is architecture: x86_64
qbl-mbp:~ qubyte$ lipo -info `which python`
Architectures in the fat file:
/Library/Frameworks/Python.framework/Versions/2.6/bin/python are: ppc i386
***************************************************************************************************
Output from from the versioner command:
qbl-mbp:volatility2.0 qubyte$ VERSIONER_PYTHON_PREFER_32_BIT=yes python
vol.py -h
Volatile Systems Volatility Framework 2.0
*** Failed to import volatility.plugins.addrspaces.ewf (OSError:
dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find:
/usr/local/lib/libewf.dylib: mach-o, but wrong architecture)
I have also cc'd Joachim Metz on this in case he has some insight. Joachim
- in case you have time to read this i am encountering this error with
libewf and volatility 2.0 when running volatitlity (mac ox 10.6.8 with
libewf 20100226; this version of libewf is used to due to TSK 3.2.2):
*** Failed to import volatility.plugins.addrspaces.ewf (OSError:
dlopen(/usr/local/lib/libewf.dylib, 6): no suitable image found. Did find:
/usr/local/lib/libewf.dylib: mach-o, but wrong architecture)
Thanks to the vol group and joachim for taking the time to read this! I
look forward to the next set of ideas! :)
Cheers
Shafik
On Tue, Aug 9, 2011 at 11:00 AM, <vol-users-request(a)volatilityfoundation.org>wrote:
> lipo -info `which python`
