Re: [Vol-users] VM image of memory- This is not a VMEM file

Lou, On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote: You shouldn't have to shut the system down, if you're using VMware (which it sounds like you are from the "VMEM"), then you can just suspend it and the contents of memory will be flushed to the .vmem file. What's the OS version of the VMware system and what was the command-line that you used (i.e. did you use the right --profile)? MHL > Is it possible to substitute a valid DTB from another image into the memdump > of a live VM machine with a Hex editor? And if it can be done does anyone > know the addresses of that space to take out and substitute? I hope that > made sense...... > > If you look at a normal image of memory in a hex editor you can clearly see > the difference between that and a VM dump from a live system, there seems to > be some extra padded stuff right up front. > > > > > > > > Volatile Systems Volatility Framework 2.0 > No suitable address space mapping found > Tried to open image as: > WindowsHiberFileSpace32: No base Address Space > WindowsCrashDumpSpace32: No base Address Space > JKIA32PagedMemory: No base Address Space > JKIA32PagedMemoryPae: No base Address Space > IA32PagedMemoryPae: Module disabled > IA32PagedMemory: Module disabled > WindowsHiberFileSpace32: No xpress signature fou > WindowsCrashDumpSpace32: Header signature invali > JKIA32PagedMemory: No valid DTB found > JKIA32PagedMemoryPae: No valid DTB found > IA32PagedMemoryPae: Module disabled > IA32PagedMemory: Module disabled > FileAddressSpace: Must be first Address Space > > Thanks > > Lou > > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >