RE: [Vol-users] VM image of memory- This is not a VMEM file

Lou, I don't know the answer to your question, but you could 'plan B' collect memory with a memory capture program to keep your analysis going while you find the answer. I have an XPx86 and use windd32 to collect the memory, it works fine for me. Best, Mike Date: Fri, 10 Feb 2012 22:48:54 -0500 From: louislarocca(a)gmail.com To: vol-users(a)volatilityfoundation.org Subject: [Vol-users] VM image of memory- This is not a VMEM file When imaging memory on a live VM system to do analysis for malware Volatililty does not recognize it (see below). Is there anyone on this mailing list that has the knowledge on how I can remedy this without shutting the system down and grabbing the VMEM file? Is it possible to substitute a valid DTB from another image into the memdump of a live VM machine with a Hex editor? And if it can be done does anyone know the addresses of that space to take out and substitute? I hope that made sense...... If you look at a normal image of memory in a hex editor you can clearly see the difference between that and a VM dump from a live system, there seems to be some extra padded stuff right up front. Volatile Systems Volatility Framework 2.0 No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled WindowsHiberFileSpace32: No xpress signature fou WindowsCrashDumpSpace32: Header signature invali JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space Thanks Lou _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users