I think I know the answer to this, but I want to be certain.

I captured live memory with FTK Imager Lite (Current version)

I am now trying to examine the memory, and receive:

commandme : python volatility connections -f memdump.txt
/work/Volatility-1.3_Beta/forensics/win32/crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
  import sha
Usage: connections [options] (see --help)

volatility: error: Unable to load image. Possible causes: invalid dtb, wrong image type, unsupported image type.

I suspect that FTK doesn't create a linear image.

I tried this on a Mac and WIndows.

If this is correct, does anyone know of an open source tool I can analyze this ftk memory dump with? I can't recreate another.

I tried wmft_0.2 but I think that this tool is in the early stages of development. I was only able to pul a lit of drivers with it.


-- Bruce D. Meyer
  Analysis & Encryption
  (803) 896-0469
  (803) 896-1650 (SOC)

  My Key Fingerprint is:
  8BC3 14B5 CE77 3C83 F4A7
  5353 3F27 97FF 0591 44F9

-------------------------
South Carolina Information Sharing and Analysis Center (SC-ISAC)
Department of State I.T. (D.S.I.T)
http://sc-isac.sc.gov
~-~-~-~-~-~-~-~-~-~-~-~-~-
Upload your PGP public key, download or verify mine at:
http://keys.cio.sc.gov