Re: [Vol-users] Errorrunning "volatility files"
13 Nov
2008
13 Nov
'08
8:57 a.m.
AAron,
Thank you for your quick answer.
The size of physical memory is 4GB, size of the image is 3GB (limited
because of 32-Bit XP). The image was captured with winen and has been
converted to a dd-style image with ewfexport.
The "regobjkeys" switch gives the same error, for the other modules I'll
have to test the results. Furthermore I tried Jesse's cryptoscan plugin
but didn't get a result - I'll test that with other images captured with
win32dd and mdd to see if that'll give a result.
Christian
AAron Walters wrote:
Christian,
Thanks for the email! From the error, it appears that the virtual
address for the handle object it is requesting is not valid. All we
need to do is add a simple to check to make sure the address is valid
and if not continue to the next handle table entry. I will work on
getting you a patch that you can test on your sample.
Are the rest of the modules/plugin working correctly on your sample?
If you don't mind me asking, how big is physical memory on this machine?
Thanks again for the email!
AW
On Thu, 13 Nov 2008, Christian Herndler wrote:
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Hi,
when running
python volatility files -f ../mem.dd
I get a correct looking result for the first 8 processes, then I get the
following error:
<-------------------------------------snip
-------------------------------------------->
Pid: 644
Traceback (most recent call last):
File "volatility", line 219, in <module>
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/home/chris/tmp/Mem-Image/Volatility-1.3_Beta/vmodules.py", line
62, in execute
self.cmd_execute(module, args)
File "/home/chris/tmp/Mem-Image/Volatility-1.3_Beta/vmodules.py", line
545, in get_open_files
L1_table = handle_entry_object(addr_space, types, L1_entry)
File
"/home/chris/tmp/Mem-Image/Volatility-1.3_Beta/forensics/win32/handles.py",
line 77, in handle_entry_object
['_HANDLE_TABLE_ENTRY', 'Object'], entry_vaddr) & ~0x00000007
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
<-------------------------------------snip
-------------------------------------------->
The operating system in the image is a XPSP3, volatility ident shows:
Image Name: ../mem.dd
Image Type: Service Pack 3
VM Type: pae
DTB: 0xa1c000
Datetime: Wed Nov 12 18:39:28 2008
Any ideas what could be the problem ?
Christian
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users