Re: [Vol-users] sample XP image?
5 Oct
2008
5 Oct
'08
11:12 p.m.
These are in DD format. They are direct dumps of physical memory, and
have no header. Physical address x in memory corresponds to file
address x in the file. This is the format that Volatility has
actually supported the longest -- crash and hiber are new :)
Are you having trouble getting Volatility to run on the sample images?
Cheers,
Brendan
On Oct 5, 2008, at 10:58 PM, Jun Koi wrote:
On Fri, Oct 3, 2008 at 1:50 PM, Jun Koi
<junkoi2004(a)gmail.com> wrote:
On Fri, Oct 3, 2008 at 12:48 PM, Brendan
Dolan-Gavitt
<bdolangavitt(a)wesleyan.edu> wrote:
> Hi,
>
> You might want to verify that you downloaded complete image. The
> SHA1 and
> MD5 sums are:
>
> MD5:
> 82c64f3292b7794d45cbffce6c5e51a2 memory-images.rar
>
> SHA1:
> 70c68127faef865a45a0fcd4b5b360482f833b7f memory-images.rar
>
> I just re-downloaded it from the NIST site and confirmed that it
> contains:
> boomer-win2003-2006-03-17.img
> boomer-win2k-2006-02-27-0824.img
> vista-beta2.img
> xp-laptop-2005-06-25.img
> xp-laptop-2005-07-04-1430.img
I can get these files. But what are their formats?
If I am not wrong, currently on crashdump & hilber files are
supported. I checked these 2 files, and none of them are crashdump or
hilber (I checked the first few bytes of them)
Many thanks,
J