5:20 p.m.
MHL,
Sorry I got the same output with both the 2.0 stable and the 2.1 alpha branches.
However, I just ran the imageinfo of the DumpIt DD image on the 2.1
alpha branch, and I did get output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64,
Win2008R2SP1x64, Win2008R2SP0x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (memory.raw)
PAE type : PAE
DTB : 0x187000
KDBG : 0xf80002bfe0a0
KPCR : 0xffdff000
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-07 15:59:22
Image local date and time : 2012-03-07 15:59:22
Number of Processors : 4
Image Type : Service Pack 1
So that worked. I'm trying it again with the FDPro dump, which is a
DD image dump as well. I'll reply back when I get results from that.
I'm guessing it should work but we'll see.
My guess (as someone else suggested to me) is I may need to collect
the memory dumps with EnCase without compression and then either mount
them with mount_ewf.py or convert them with FTK Imager and test that.
What's odd is I did a test on a Win7 64-bit machine I have at home
(E01->DD) and it worked fine.
Thanks,
Tom
On Wed, Mar 7, 2012 at 3:43 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hi Tom,
Volatility 2.0 did not support x64 at all, despite its ability to identify
the image as Win7SP0x64. That's why you get "Invalid profile Win7SP0x64
selected" when using Volatility 2.0. So if you plan to analyze x64 you're
best bet is to check out the 2.1 alpha branch.
$ svn checkout https://volatility.googlecode.com/svn/trunk/
volatility_21_alpha
You said below that you've already tried "imageinfo" on your Win7 x64 dump
with the 2.1 alpha branch, but I didn't see your output. Could you try these
few commands and paste the results?
$ python vol.py -f memory.raw imageinfo
$ python vol.py -f memory.raw pslist --profile=Win7SP0x64
Note that "imageinfo" is one of the few commands that you do not need to
specify a profile. For most others you need to use --profile=Win7SP0x64.
Let us know if that helps?
MHL
On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
So we're moving to Windows 7 (64-bit) in our environment, and our
current method of getting memory images off of machines has changed.
So we're using EnCase Enterprise to grab memory dumps. Then what I've
been doing is using FTK Imager to convert that to a DD image, and we
run it through our regular tool. I run the same DD image through
Volatility. I'm running Volatility on OS X Lion.
Recently, I've noticed when I'm just doing an imageinfo with
Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no
profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
So my first thought was is was an issue with converting an E01 to a DD
image. So I ran a test on a standard Windows 7 build in our
organization.
1) Do a memory collection with EnCase, convert to DD with FTK Imager
2) Do a memory collection with FDPro
3) Do a memory collection with DumpIt
Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
code, and the results were the same with one exception. With the 2.0
code, and the DumpIt memory dump, I got the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
AS Layer1 : FileAddressSpace (memory.raw)
PAE type : No PAE
But if I try to run another command with --profile=Win7SP0x64 I get:
Volatile Systems Volatility Framework 2.0
ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
I'm just wondering if there's something funky with my Volatility
installation, or if there could be something I need to check in our 7
build that could be causing this.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users