Re: [Vol-users] stings input file format question
Eknath Venkataramani
27 Feb
2012
27 Feb
'12
4:28 p.m.
Don't know if this might help but why don't you run strings within pdb and
see exactly where it fails. You could run the two instances of volatility
side by side in pdb and compare.
On Feb 27, 2012 4:06 PM, "Mike Lambert" <dragonforen(a)hotmail.com> wrote:
I am mystified why I see the following: in one case I
get output from
strings and the other I get an input file format error. I have tried this
with 1.3 and 2.0 and get the same result. It takes 1.3 a looonnngg time to
return the error, 2.0 returs the error quickly.
I thought the reason may be length, so I broke up the Ypycub offsets into
increasingly smaller input files; no success was achived with the smaller
input files.
I don't see a format difference in these 2 files.
The offsets come from an Encase search of 120225b.mem. It is a 458MB
WinXPSP3x86 image converted from hiberfil.sys.
Vol 1.3 example: The same result is seen with Vol 2.0
The input file is:
357229672:Glows
280642408:Glows
257105340:Glows
113457472:Glows
357230696:Glows
C:\Python27\Volatility-1.3_Beta>python volatility strings -f
e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Glows_offsets.txt
357229672 [kernel:df864468 ] Glows
280642408 [1456:45b8368 ] Glows
257105340 [kernel:e1ec1dbc ] Glows
113457472 [1456:2ac0940 ] Glows
357230696 [kernel:df864868 ] Glows
----------------------cut-here-------------------------
The input file is:
7744388:Ypycub
10830274:Ypycub
70385414:Ypycub
70918297:Ypycub
70918649:Ypycub
73375514:Ypycub
91390974:Ypycub
104879126:Ypycub
104879154:Ypycub
132968006:Ypycub
215776800:Ypycub
232868024:Ypycub
232869190:Ypycub
237434963:Ypycub
237434991:Ypycub
256642118:Ypycub
285030170:Ypycub
310449659:Ypycub
310449687:Ypycub
314178656:Ypycub
325974496:Ypycub
327972307:Ypycub
327972335:Ypycub
338814062:Ypycub
338814854:Ypycub
339229856:Ypycub
339763304:Ypycub
339763544:Ypycub
339893168:Ypycub
340101984:Ypycub
343215259:Ypycub
343215287:Ypycub
357229759:Ypycub
361836122:Ypycub
367889650:Ypycub
455348611:Ypycub
455348639:Ypycub
C:\Python27\Volatility-1.3_Beta>python volatility strings -f
e:\tests\120225b\IRinfo\120225b.mem -s 120225b_Ypycub_offsets.txt
Usage: strings [options] (see --help)
volatility: error: String file format invalid.
Thanks for any assistance.
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 3.2 KB)