RE: [Vol-users] stings input file format question

Hi Eknath, I am not familiar with pdb. Do you know of a URL where I can read about it? Thanks, Mike Date: Mon, 27 Feb 2012 16:28:05 -0500 Subject: Re: [Vol-users] stings input file format question From: eknath.iyer(a)gmail.com To: dragonforen(a)hotmail.com CC: vol-users(a)volatilityfoundation.org Don't know if this might help but why don't you run strings within pdb and see exactly where it fails. You could run the two instances of volatility side by side in pdb and compare. On Feb 27, 2012 4:06 PM, "Mike Lambert" <dragonforen(a)hotmail.com> wrote: I am mystified why I see the following: in one case I get output from strings and the other I get an input file format error. I have tried this with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time to return the error, 2.0 returs the error quickly. I thought the reason may be length, so I broke up the Ypycub offsets into increasingly smaller input files; no success was achived with the smaller input files. I don't see a format difference in these 2 files. The offsets come from an Encase search of 120225b.mem. It is a 458MB WinXPSP3x86 image converted from hiberfil.sys. Vol 1.3 example: The same result is seen with Vol 2.0 The input file is: 357229672:Glows 280642408:Glows 257105340:Glows 113457472:Glows 357230696:Glows C:\Python27\Volatility-1.3_Beta>python volatility strings -f e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt 357229672 [kernel:df864468 ] Glows 280642408 [1456:45b8368 ] Glows 257105340 [kernel:e1ec1dbc ] Glows 113457472 [1456:2ac0940 ] Glows 357230696 [kernel:df864868 ] Glows ----------------------cut-here------------------------- The input file is: 7744388:Ypycub 10830274:Ypycub 70385414:Ypycub 70918297:Ypycub 70918649:Ypycub 73375514:Ypycub 91390974:Ypycub 104879126:Ypycub 104879154:Ypycub 132968006:Ypycub 215776800:Ypycub 232868024:Ypycub 232869190:Ypycub 237434963:Ypycub 237434991:Ypycub 256642118:Ypycub 285030170:Ypycub 310449659:Ypycub 310449687:Ypycub 314178656:Ypycub 325974496:Ypycub 327972307:Ypycub 327972335:Ypycub 338814062:Ypycub 338814854:Ypycub 339229856:Ypycub 339763304:Ypycub 339763544:Ypycub 339893168:Ypycub 340101984:Ypycub 343215259:Ypycub 343215287:Ypycub 357229759:Ypycub 361836122:Ypycub 367889650:Ypycub 455348611:Ypycub 455348639:Ypycub C:\Python27\Volatility-1.3_Beta>python volatility strings -f e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt Usage: strings [options] (see --help) volatility: error: String file format invalid. Thanks for any assistance. Mike _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users