RE: [Vol-users] what is at that address
4 Feb
2012
4 Feb
'12
7:24 p.m.
Thanks Mike!
HaHa! I was searching a memory image with Encase. Encase gave me a decimal offset into the
memory image.
For some reason I thought I had to convert it to hex. Looks like the joke was on me!
Works great, thanks for pointing out my error!
BTW, what is "... using -td, ..."? I don't see -td mentioned in -h or the
docs online.
I'm using http://code.google.com/p/volatility/wiki/CommandReference and the -h
command, is the more docs somewhere else I need to be looking at?
Does anyone live in Houston?
Best,
Mike
Date: Sat, 4 Feb 2012 23:46:29 +0000
From: mike.auty(a)gmail.com
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] what is at that address
Hiya Mike,
On 04/02/12 23:00, Mike Lambert wrote:
My string input file (120129Nbivevokoxa.txt )
looks like this
192480a0:Nbivevokoxa
I'm afraid the strings plugin only accepts decimal offsets, rather than
hexidecimal offsets. Please run strings using -td, or just change your
one example to "421822624:Nbivevokoxa"...
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- attachment.html (text/html — 1.7 KB)