Thanks Mike!
HaHa! I was searching a memory image with Encase. Encase gave me a decimal offset into the memory image.
For some reason I thought I had to convert it to hex. Looks like the joke was on me!
Works great, thanks for pointing out my error!
BTW, what is "... using -td, ..."? I don't see -td mentioned in -h or the docs online.
I'm using
http://code.google.com/p/volatility/wiki/CommandReference and the -h command, is the more docs somewhere else I need to be looking at?
Does anyone live in Houston?
Best,
Mike
> Date: Sat, 4 Feb 2012 23:46:29 +0000
> From: mike.auty@gmail.com
> To: vol-users@volatilesystems.com
> Subject: Re: [Vol-users] what is at that address
>
> Hiya Mike,
>
> On 04/02/12 23:00, Mike Lambert wrote:
> > My string input file (120129Nbivevokoxa.txt ) looks like this
> > 192480a0:Nbivevokoxa
>
> I'm afraid the strings plugin only accepts decimal offsets, rather than
> hexidecimal offsets. Please run strings using -td, or just change your
> one example to "421822624:Nbivevokoxa"...
>
> Mike
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users