I am trying to use printkey against a Windows XP image and keep getting an error when I use printkey.� I have also provided the commands I used for hivescan and hivelist which work great but printkey does not.� Does anyone have any suggestions as to why.� I initially thought it was because it was SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that was suggested to use in Brendan's guide but I get the same results.� Anyone have any thoughts as to why???

Mark Morgan
702-942-2556

morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin

Offset (hex)

181006344 0xac9f008

181033824 0xaca5b60

189972488 0xb52c008

202671368 0xc148508

544586592 0x2075bb60

642878304 0x26518b60

643895304 0x26611008

678736920 0x2874b418

740933640 0x2c29c008

742706016 0x2c44cb60

789179232 0x2f09eb60

798029088 0x2f90f520

1107776776 0x42075508

1874516240 0x6fbad910

morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008

Address Name

0xe6348910 \Documents and Settings\144553\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

0xebe6e508 \Documents and Settings\144553\NTUSER.DAT

0xe8287508 \WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

0xe1895520 \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT

0xe1396008 \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT

0xe4f8eb60 \WINDOWS\system32\config\SAM

0xe77b9b60 \WINDOWS\system32\config\SECURITY

0xe77cd008 \WINDOWS\system32\config\SOFTWARE

0xe77ca418 \WINDOWS\system32\config\DEFAULT

0xe18b6008 [no name]

0xe1035b60 \WINDOWS\system32\config\SYSTEM

0xe102e008 [no name]

morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60

Key name: [9252] (Stable)

Last updated: Wed Jul 29 02:08:26 2009

Subkeys:

Traceback (most recent call last):

File "./volatility", line 219, in <module>

main()

File "./volatility", line 215, in main

command.execute()

File "memory_plugins/registry/printkey.py", line 97, in execute

for s in subkeys(key):

File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py", line 144, in subkeys

s.is_valid() and s.Signature == NK_SIG]

AttributeError: 'int' object has no attribute 'is_valid'

morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin

Image Name: /home/morgan/Memory Images/PhysicalMemory.bin

Image Type: Service Pack 3

VM Type: pae

DTB: 0x33e000

Datetime: Tue Aug 04 11:02:35 2009