Hi Tom, <br><br>Volatility 2.0 did not support x64 at all, despite its ability to identify the image as Win7SP0x64. That&#39;s why you get &quot;Invalid profile Win7SP0x64 selected&quot; when using Volatility 2.0. So if you plan to analyze x64 you&#39;re best bet is to check out the 2.1 alpha branch. <div>
<br></div><div>$ svn checkout <a href="https://volatility.googlecode.com/svn/trunk/">https://volatility.googlecode.com/svn/trunk/</a> volatility_21_alpha </div><div><br></div><div>You said below that you&#39;ve already tried &quot;imageinfo&quot; on your Win7 x64 dump with the 2.1 alpha branch, but I didn&#39;t see your output. Could you try these few commands and paste the results?</div>
<div><br></div><div>$ python vol.py -f memory.raw imageinfo </div><div><br></div><div>$ python vol.py -f memory.raw pslist --profile=Win7SP0x64 </div><div><br></div><div>Note that &quot;imageinfo&quot; is one of the few commands that you do not need to specify a profile. For most others you need to use --profile=Win7SP0x64. </div>
<div><br></div><div>Let us know if that helps? </div><div><br></div><div>MHL<br><br><div class="gmail_quote">On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <span dir="ltr">&lt;<a href="mailto:tom@yarrish.com">tom@yarrish.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey all,<br>
So we&#39;re moving to Windows 7 (64-bit) in our environment, and our<br>
current method of getting memory images off of machines has changed.<br>
So we&#39;re using EnCase Enterprise to grab memory dumps.  Then what I&#39;ve<br>
been doing is using FTK Imager to convert that to a DD image, and we<br>
run it through our regular tool.  I run the same DD image through<br>
Volatility.  I&#39;m running Volatility on OS X Lion.<br>
<br>
Recently, I&#39;ve noticed when I&#39;m just doing an imageinfo with<br>
Volatility (both 2.0 and 2.1_alpha), I&#39;m getting the following:<br>
<br>
<br>
Volatile Systems Volatility Framework 2.0<br>
Determining profile based on KDBG search...<br>
<br>
          Suggested Profile(s) : No suggestion (Instantiated with no profile)<br>
                     AS Layer1 : FileAddressSpace (memory.bin)<br>
                      PAE type : No PAE<br>
<br>
So my first thought was is was an issue with converting an E01 to a DD<br>
image.  So I ran a test on a standard Windows 7 build in our<br>
organization.<br>
<br>
1) Do a memory collection with EnCase, convert to DD with FTK Imager<br>
2) Do a memory collection with FDPro<br>
3) Do a memory collection with DumpIt<br>
<br>
Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha<br>
code, and the results were the same with one exception.  With the 2.0<br>
code, and the DumpIt memory dump, I got the following:<br>
<br>
<br>
Volatile Systems Volatility Framework 2.0<br>
Determining profile based on KDBG search...<br>
<br>
          Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)<br>
                     AS Layer1 : FileAddressSpace (memory.raw)<br>
                      PAE type : No PAE<br>
<br>
But if I try to run another command with --profile=Win7SP0x64 I get:<br>
<br>
Volatile Systems Volatility Framework 2.0<br>
ERROR   : volatility.addrspace: Invalid profile Win7SP0x64 selected<br>
<br>
I&#39;m just wondering if there&#39;s something funky with my Volatility<br>
installation, or if there could be something I need to check in our 7<br>
build that could be causing this.<br>
<br>
Thanks ahead of time,<br>
Tom<br>
_______________________________________________<br>
Vol-users mailing list<br>
<a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
</blockquote></div><br></div>