Hey Mark,

Do you have the following directory structure?

$VOLHOME/volatility
$VOLHOME/rip.pl
$VOLHOME/vtypes.py
$VOLHOME/rrplugins
$VOLHOME/regwrap.py

vtypes.py should be in the same directory as rip.pl but according to your output, rip.pl can't find vtypes.py.

MHL

On Wed, Jan 27, 2010 at 12:53 PM, Mark Morgan <mark.morgan47@gmail.com> wrote:
Michael thanks for the info.  I got past that little problem but have one problem when I am processing the image using the regripper through volatility.  I downloaded the latest volreg and volrip into the latest svn version.  I ran the following command:

root@morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl rip.pl -r /home/morgan/Memory\Images\PhysicalMemory.bin@0xe1035b60 -f system

And I get the following errror:


Traceback (most recent call last):
  File "<string>", line 1, in <module>
ImportError: No module named vtypes
Error -- py_eval raised an exception at rip.pl line 21.

Have I left something out or am I simply missing a step?/

Mark





On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen <scudette@gmail.com> wrote:
Mark,
 The following will check out all branches (including experimental):

svn checkout http://volatility.googlecode.com/svn/ volatility

Michael.

On Wed, Jan 27, 2010 at 11:58 AM, Mark Morgan <mark.morgan47@gmail.com> wrote:
> I do not have the beta branch.  Where do you get that version?
>
> Mark
>
>
> On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette@gmail.com> wrote:
>>
>> Mark,
>>  Are you getting the same bug with the 1.4beta branch?  We have
>> rewritten much of the object framework. It looks like its passing an
>> int rather than an object somewhere here.
>>
>> Michael.
>>
>> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <mark.morgan47@gmail.com>
>> wrote:
>> > I am trying to use printkey against a Windows XP image and keep getting
>> > an
>> > error when I use printkey.  I have also provided the commands I used for
>> > hivescan and hivelist which work great but printkey does not.  Does
>> > anyone
>> > have any suggestions as to why.  I initially thought it was because it
>> > was
>> > SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that
>> > was
>> > suggested to use in Brendan's guide but I get the same results.  Anyone
>> > have
>> > any thoughts as to why???
>> >
>> >
>> > Mark Morgan
>> > 702-942-2556
>> >
>> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
>> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>> >
>> > Offset (hex)
>> >
>> > 181006344 0xac9f008
>> >
>> > 181033824 0xaca5b60
>> >
>> > 189972488 0xb52c008
>> >
>> > 202671368 0xc148508
>> >
>> > 544586592 0x2075bb60
>> >
>> > 642878304 0x26518b60
>> >
>> > 643895304 0x26611008
>> >
>> > 678736920 0x2874b418
>> >
>> > 740933640 0x2c29c008
>> >
>> > 742706016 0x2c44cb60
>> >
>> > 789179232 0x2f09eb60
>> >
>> > 798029088 0x2f90f520
>> >
>> > 1107776776 0x42075508
>> >
>> > 1874516240 0x6fbad910
>> >
>> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
>> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008
>> >
>> > Address Name
>> >
>> > 0xe6348910 \Documents and Settings\144553\Local Settings\Application
>> > Data\Microsoft\Windows\UsrClass.dat
>> >
>> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
>> >
>> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local
>> > Settings\Application
>> > Data\Microsoft\Windows\UsrClass.dat
>> >
>> > 0xe1895520 \Documents and Settings\LocalService\Local
>> > Settings\Application
>> > Data\Microsoft\Windows\UsrClass.dat
>> >
>> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
>> >
>> > 0xe1396008 \Documents and Settings\NetworkService\Local
>> > Settings\Application
>> > Data\Microsoft\Windows\UsrClass.dat
>> >
>> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
>> >
>> > 0xe4f8eb60 \WINDOWS\system32\config\SAM
>> >
>> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY
>> >
>> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
>> >
>> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT
>> >
>> > 0xe18b6008 [no name]
>> >
>> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM
>> >
>> > 0xe102e008 [no name]
>> >
>> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
>> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60
>> >
>> > Key name: [9252] (Stable)
>> >
>> > Last updated: Wed Jul 29 02:08:26 2009
>> >
>> > Subkeys:
>> >
>> > Traceback (most recent call last):
>> >
>> > File "./volatility", line 219, in <module>
>> >
>> > main()
>> >
>> > File "./volatility", line 215, in main
>> >
>> > command.execute()
>> >
>> > File "memory_plugins/registry/printkey.py", line 97, in execute
>> >
>> > for s in subkeys(key):
>> >
>> > File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py",
>> > line
>> > 144, in subkeys
>> >
>> > s.is_valid() and s.Signature == NK_SIG]
>> >
>> > AttributeError: 'int' object has no attribute 'is_valid'
>> >
>> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
>> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>> >
>> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
>> >
>> > Image Type: Service Pack 3
>> >
>> > VM Type: pae
>> >
>> > DTB: 0x33e000
>> >
>> > Datetime: Tue Aug 04 11:02:35 2009
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users@volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>> >
>
>


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users