Hi James,

According to the wiki (https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#configuration-files), if you're putting the config file in the same folder it should be named "volatilityrc" (no dot).

You use the dot if it's in the home folder, e.g. "~/.volatilityrc".
You could test by passing the file path with "--conf-file".

Syntax of the file content looks good though.

Adam


On 6 May 2016 at 16:41, James Kelly <42jameskelly@gmail.com> wrote:
1. I have a directory with a memory dump called memdum.bin

2. I run volatility image info against it and I get
Air:ticket_number jamesk$ vol.py -f memdump.bin imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86 (Instantiated with Win2003SP0x86)
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/Users/jamesk/Desktop/jackcr-challenge/DC-USTXHOU/ticket_number/memdump.bin)
                      PAE type : No PAE
                           DTB : 0x39000L
                          KDBG : 0x805583d0L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2012-11-27 02:01:57 UTC+0000
     Image local date and time : 2012-11-26 20:01:57 -0600

3. I can run vol.py --profile=Win2003SP0x86 -f memdump.bin pslist and get process list just fine…but...
In that same directory as the memdump.bin file  I have a .volatilityrc file which contains

[DEFAULT]
PROFILE=Win2003SP2x86

When I run vol.py pslist I get:
No suitable address space mapping found

Is my syntax incorrect somewhere?

Jk




_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users