Hello all,
After I had changed to Win7 64 I've tried to install Volatility 1.4RC1
doing the following:
- installing Python 2.7 x64
- installing a precompiled pccrypto 2.3.1 x64 bit from
http://archive.warshaft.com/pycrypto-2.3.1.win7x64-py2.7x64.7z
- compiling the modules did not work.
- getting rc1 via wget and via SVN-checkout both
When starting Volatility I get the following error message:
C:\Micha\Forensics\Volatility-14rc1>python volatility
C:\Python27\python.exe: can't find '__main__' module in 'volatility'
What went wrong?
Cu
Michael
Thanks for your suggestion. I did try hibr2bin.exe, that didn't work
either (error was: "Failed. Cannot open file. Please check if the file
is not being used")
The first page (4096 Byte) of the file is empty - but as far as I know
that shouldn't be a problem.
Christian
On 11/17/2010 02:40 PM, Johnathan Bridbord wrote:
> Christian-
>
> Perhaps try the following syntax:
>
> #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
>
> I recommend Matt's standalone windows executable hibr2bin from moonsol.
>
> Thanks,
> JB
> Sent via BlackBerry by AT&T
>
> -----Original Message-----
> From: Christian Herndler <christian(a)herndler.com>
> Sender: vol-users-bounces(a)volatilityfoundation.org
> Date: Wed, 17 Nov 2010 08:55:24
> To: <vol-users(a)volatilityfoundation.org>
> Subject: [Vol-users] Problem converting hiberfil.sys
>
> Hello,
>
> I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
> following error:
>
> .
> /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
> Traceback (most recent call last):
> File "./volatility", line 219, in <module>
> main()
> File "./volatility", line 212, in main
> modules[argv[1]].execute(argv[1], argv[2:])
> File "/opt/Volatility/vmodules.py", line 62, in execute
> self.cmd_execute(module, args)
> File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
> hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
> File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
> in __init__
> for i in range(0,EntryCount):
> OverflowError: range() result has too many items
>
> any ideas ?
>
> Christian
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hello,
I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
following error:
.
/volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
Traceback (most recent call last):
File "./volatility", line 219, in <module>
main()
File "./volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/opt/Volatility/vmodules.py", line 62, in execute
self.cmd_execute(module, args)
File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
in __init__
for i in range(0,EntryCount):
OverflowError: range() result has too many items
any ideas ?
Christian
Following the instructions provided by Bradley Schatz [1] I added a
new profile for
Windows Vista SP2.
since the code is actively revised it's obvious that not all commands
work how is
expected, but I'm very surprised that the command kpcrscan always get
the same value:
C:\Volatility-1.4_rc1>volatility.py --profile=VistaSP2x86 -f
vistasp2.dmp kpcrscan
Volatile Systems Volatility Framework 1.4_rc1
Potential KPCR structure virtual addresses:
Phys addr 00150000 Virt addr ffdff000
_KPCR: ffdff000
obviously this is not correct
0: kd> !pcr
KPCR for Processor 0 at 81d45800:
Major 1 Minor 1
NtTib.ExceptionList: ffffffff
NtTib.StackBase: 00000000
NtTib.StackLimit: 00000000
NtTib.SubSystemTib: 80151000
NtTib.Version: 001d39f9
NtTib.UserPointer: 00000001
NtTib.SelfTib: 00000000
SelfPcr: 81d45800
Prcb: 81d45920
Irql: 00000002
IRR: 00000000
IDR: ffffffff
InterruptMode: 00000000
IDT: 81bff400
GDT: 81bff000
TSS: 80151000
CurrentThread: 81d49640
NextThread: 00000000
IdleThread: 81d49640
DpcQueue:
The volatility code version is the latest available via subversion (r493).
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…
---
La verdad nos hara libres
http://neosysforensics.blogspot.comhttp://www.wadalbertia.org
-<|:-P[G]
First, sorry for my poor english :(
Following the instructions provided by Bradley Schatz [1] I dont get
load the new profile:
C:\Volatility-1.4_rc1>dir plugins\overlays\Windows\vista_*
...
26/09/2010 22:47 2.232 vista_sp0_x86.py
26/09/2010 22:48 2.357 vista_sp0_x86.pyc
26/09/2010 22:47 286.008 vista_sp0_x86_vtypes.py
26/09/2010 22:48 192.774 vista_sp0_x86_vtypes.pyc
01/10/2010 23:18 2.235 vista_sp2_x86.py
01/10/2010 23:19 2.360 vista_sp2_x86.pyc
01/10/2010 22:36 315.748 vista_sp2_x86_vtypes.py
01/10/2010 23:19 207.429 vista_sp2_x86_vtypes.pyc
...
C:\Volatility-1.4_rc1>volatility.py --info
Volatile Systems Volatility Framework 1.4_rc1
...
PROFILES
--------
VistaSP0x86 - A Profile for Windows Vista SP0 x86
Win7SP0x86 - A Profile for Windows 7 SP0 x86
WinXPSP2 - A Profile for Windows XP SP2
WinXPSP3 - A Profile for windows XP SP3
...
What am I doing wrong?
[1]
http://blog.schatzforensic.com.au/2010/05/adding-new-structure-definitions-…
---
La verdad nos hara libres
http://neosysforensics.blogspot.comhttp://www.wadalbertia.org
-<|:-P[G]
Hi
i am using dfrws forensic challenge image from 2005 (both images). when I
tried any option (pslist, connections etc) i get Unable to locate valid DTB
in image. When i use psscan or connscan, i get no output. i am using
volatility version 1.3 on Ubuntu.
Zack
Hi there,
I'm trying to code an small tool to interact with users, hash modules
and dump them... but this last part is not working properly. I have in
my code something like:
(self.addr_space, self.symtab, self.types) =
vutils.load_and_identify_image(self.op, self.opts)
...
for module in modules_list(self.addr_space, self.types, self.symtab):
...
driver_base = module_baseaddr(self.addr_space, self.types, module)
driver_size = module_imagesize(self.addr_space, self.types, module)
data = self.addr_space.read(driver_base, driver_size)
The problem is that using this code, data is always None. Tracing a
bit I found that is because at some point, one of the pages cannot be
read because a call to vtop return None (PTE = 0 for that page, but it
shouldn't be). I've been testing the code with different memory images
and I even get the same behaviour when testing it with NIST's
xp-laptop dumps, so I'm quite sure it's not because a weird memory
dump.
So, any ideas of what I'm doing wrong? Also any hint about the best
way of use the API would be nice. I mean, I'm using calls to
module_baseaddr while other code I saw (moddump by moyix) uses things
like mod.BaseAddress.v()
Thanks,
Tora
Hi Mark,
Did you install the registry plugins (that contain hivescan)? Make
sure you get all supporting libraries installed. You can check
Moyix's blogpost
(http://moyix.blogspot.com/2009/01/memory-registry-tools.html) on how
to install/use it and there are also installation manuals on the
Documentation wiki that cover it as well
(http://code.google.com/p/volatility/wiki/DocFiles) Also, you may
want to use the framework from the SVN
(http://code.google.com/p/volatility/source/checkout) if you haven't
already (there's also documentation on how to use SVN on the
documenation wiki)...
As Darren also said, the forensics wiki
(http://www.forensicswiki.org/wiki/List_of_Volatility_Plugins) has a
pretty good list of current Volatility plugins.
All the best,
-gleeda
> Date: Mon, 28 Jun 2010 22:09:02 +0000 (UTC)
> From: mark-wade(a)comcast.net
> Subject: [Vol-users] Third Party plugins
> To: vol-users(a)volatilityfoundation.org
> Message-ID:
> <1973170622.78668.1277762942105.JavaMail.root(a)sz0109a.westchester.pa.mail.comcast.net>
>
> Content-Type: text/plain; charset="utf-8"
>
>
>
> Hello,
>
>
>
> I am trying to see if there is a list or repository anywhere for third party plugins . Also, I am running the hivescan with the1.3 Beta. I dumped the hivescan plugin package in the Volatility directory, but when I run it I am getting the message: Error: Invalid module [ hivescan ]. Are there any docs to address running third party apps with Volatility ? I am running it on Windows.
>
>
>
> Thanks
Hello,
I am trying to see if there is a list or repository anywhere for third party plugins . Also, I am running the hivescan with the1.3 Beta. I dumped the hivescan plugin package in the Volatility directory, but when I run it I am getting the message: Error: Invalid module [ hivescan ]. Are there any docs to address running third party apps with Volatility ? I am running it on Windows.
Thanks
