Re: [Vol-users] sample XP image?
5 Oct
2008
5 Oct
'08
11:19 p.m.
On Mon, Oct 6, 2008 at 12:12 PM, Brendan Dolan-Gavitt
<bdolangavitt(a)wesleyan.edu> wrote:
These are in DD format. They are direct dumps of
physical memory, and have
no header. Physical address x in memory corresponds to file address x in the
file. This is the format that Volatility has actually supported the longest
-- crash and hiber are new :)
OK, so actually 3 formats are supported now, not 2!
Are you having trouble getting Volatility to run on
the sample images?
No, it works well!
Thanks a lot,
J
On Oct 5, 2008, at 10:58 PM, Jun Koi wrote:
On Fri, Oct 3, 2008 at 1:50 PM, Jun Koi
<junkoi2004(a)gmail.com> wrote:
On Fri, Oct 3, 2008 at 12:48 PM, Brendan Dolan-Gavitt
<bdolangavitt(a)wesleyan.edu> wrote:
>
> Hi,
>
> You might want to verify that you downloaded complete image. The SHA1
> and
> MD5 sums are:
>
> MD5:
> 82c64f3292b7794d45cbffce6c5e51a2 memory-images.rar
>
> SHA1:
> 70c68127faef865a45a0fcd4b5b360482f833b7f memory-images.rar
>
> I just re-downloaded it from the NIST site and confirmed that it
> contains:
> boomer-win2003-2006-03-17.img
> boomer-win2k-2006-02-27-0824.img
> vista-beta2.img
> xp-laptop-2005-06-25.img
> xp-laptop-2005-07-04-1430.img
I can get these files. But what are their formats?
If I am not wrong, currently on crashdump & hilber files are
supported. I checked these 2 files, and none of them are crashdump or
hilber (I checked the first few bytes of them)
Many thanks,
J