[Vol-users] dumping registry hives from memory images
6 Mar
2014
6 Mar
'14
6:32 p.m.
Hello Jamie,
Apologies for delayed response. Had a short break with family.
I tried using dumpfiles plugins as per your adviced. it turned out working against winxp,
but seems not against win7sp1x86. is this a known limitation?
Thanks again mate.
Regards,
Roger
On Feb 18, 2014, at 5:00 AM, vol-users-request(a)volatilityfoundation.org wrote:
Send Vol-users mailing list submissions to
vol-users(a)volatilityfoundation.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
or, via email, send a message with subject or body 'help' to
vol-users-request(a)volatilityfoundation.org
You can reach the person managing the list at
vol-users-owner(a)volatilityfoundation.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Vol-users digest..."
Today's Topics:
1. dumping registry hive(s) from memory image (Roger)
2. Re: dumping registry hive(s) from memory image (Jamie Levy)
----------------------------------------------------------------------
Message: 1
Date: Mon, 17 Feb 2014 16:53:01 +1100
From: Roger <roger.franklin67(a)gmail.com>
Subject: [Vol-users] dumping registry hive(s) from memory image
To: "vol-users(a)volatilityfoundation.org"
<vol-users(a)volatilityfoundation.org>
Message-ID: <98444CAC-D5F0-473B-88EB-75CC983F2869(a)gmail.com>
Content-Type: text/plain; charset=us-ascii
I've been trying to get/dump a copy of a certain registry hive from the memory.
Managed to list down their offsets using hivelist plugin but unable to find ways of
dumping them to files. My intention is to load it to other tools such as regripper as
input/target registry files.
Has any one found a way of doing it?
Thank you very much in advance.
Kind regards,
Roger
------------------------------
Message: 2
Date: Mon, 17 Feb 2014 10:22:32 -0500
From: Jamie Levy <jamie.levy(a)gmail.com>
Subject: Re: [Vol-users] dumping registry hive(s) from memory image
To: vol-users(a)volatilityfoundation.org
Message-ID: <53022938.4040302(a)gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi Roger,
Try using the dumpfiles plugin:
http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
You can use an example similar to the event logs one in order to dump
the registry file. Let me know if you need help.
All the best,
-Jamie
On 2/17/2014 12:53 AM, Roger wrote:
I've been trying to get/dump a copy of a
certain registry hive from the memory. Managed to list down their offsets using hivelist
plugin but unable to find ways of dumping them to files. My intention is to load it to
other tools such as regripper as input/target registry files.
Has any one found a way of doing it?
Thank you very much in advance.
Kind regards,
Roger_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
------------------------------
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
End of Vol-users Digest, Vol 68, Issue 6
****************************************