"--type=Registry" works. -R appears to no longer be an option.On May 18, 2015, at 11:30 AM, Jared Greenhill <jared703@gmail.com> wrote:Vol Team,II've been unable to parse the Registry of a Windows system with 2.4 like I could with 2.3 using the "-R" switch. Do you invoke Registry parsing the same with 2.4 and Timeliner? When I remove the "-R" flag timeliner runs as expected. Apologies if this has been discussed somewhere. I've tried with Vol.py (compiled from source) and the Windows binary flavor of 2.4.Here's the errors I am receiving:C:\Users\DFIR-PC\Desktop\Mem>vol.exe -f Bad.img timeliner --output=body > timeline.txt -RVolatility Foundation Volatility Framework 2.4Usage: Volatility - A memory forensics analysis platform.vol.exe: error: no such option: -RC:\Users\DFIR-PC\Desktop\Mem>vol.exe -f Bad.img timeliner --output=body --output-file=timeline.txt -RVolatility Foundation Volatility Framework 2.4Usage: Volatility - A memory forensics analysis platform.vol.exe: error: no such option: -RC:\Users\DFIR-PC\Desktop\Mem>c:\volatility-master\vol.py -f Bad.img timeliner --output=body --output-file=timeline.txt -RVolatility Foundation Volatility Framework 2.4Usage: Volatility - A memory forensics analysis platform.vol.py: error: no such option: -RThanks!Jared_______________________________________________Vol-users mailing listVol-users@volatilityfoundation.orghttp://lists.volatilityfoundation.org/mailman/listinfo/vol-users_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users