[Vol-users] Volatility and Windows 7 images

Hey all, So we're moving to Windows 7 (64-bit) in our environment, and our current method of getting memory images off of machines has changed. So we're using EnCase Enterprise to grab memory dumps. Then what I've been doing is using FTK Imager to convert that to a DD image, and we run it through our regular tool. I run the same DD image through Volatility. I'm running Volatility on OS X Lion. Recently, I've noticed when I'm just doing an imageinfo with Volatility (both 2.0 and 2.1_alpha), I'm getting the following: Volatile Systems Volatility Framework 2.0 Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with no profile) AS Layer1 : FileAddressSpace (memory.bin) PAE type : No PAE So my first thought was is was an issue with converting an E01 to a DD image. So I ran a test on a standard Windows 7 build in our organization. 1) Do a memory collection with EnCase, convert to DD with FTK Imager 2) Do a memory collection with FDPro 3) Do a memory collection with DumpIt Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha code, and the results were the same with one exception. With the 2.0 code, and the DumpIt memory dump, I got the following: Volatile Systems Volatility Framework 2.0 Determining profile based on KDBG search... Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile) AS Layer1 : FileAddressSpace (memory.raw) PAE type : No PAE But if I try to run another command with --profile=Win7SP0x64 I get: Volatile Systems Volatility Framework 2.0 ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected I'm just wondering if there's something funky with my Volatility installation, or if there could be something I need to check in our 7 build that could be causing this. Thanks ahead of time, Tom