[Vol-users] VM image of memory- This is not a VMEM file

When imaging memory on a live VM system to do analysis for malware Volatililty does not recognize it (see below). Is there anyone on this mailing list that has the knowledge on how I can remedy this without shutting the system down and grabbing the VMEM file? Is it possible to substitute a valid DTB from another image into the memdump of a live VM machine with a Hex editor? And if it can be done does anyone know the addresses of that space to take out and substitute? I hope that made sense...... If you look at a normal image of memory in a hex editor you can clearly see the difference between that and a VM dump from a live system, there seems to be some extra padded stuff right up front. Volatile Systems Volatility Framework 2.0 No suitable address space mapping found Tried to open image as: WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace32: No base Address Space JKIA32PagedMemory: No base Address Space JKIA32PagedMemoryPae: No base Address Space IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled WindowsHiberFileSpace32: No xpress signature fou WindowsCrashDumpSpace32: Header signature invali JKIA32PagedMemory: No valid DTB found JKIA32PagedMemoryPae: No valid DTB found IA32PagedMemoryPae: Module disabled IA32PagedMemory: Module disabled FileAddressSpace: Must be first Address Space Thanks Lou