Re: [Vol-users] Error when using Printkey
26 Jan
2010
26 Jan
'10
7:58 p.m.
I do not have the beta branch. Where do you get that version?
Mark
On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette(a)gmail.com> wrote:
Mark,
Are you getting the same bug with the 1.4beta branch? We have
rewritten much of the object framework. It looks like its passing an
int rather than an object somewhere here.
Michael.
On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <mark.morgan47(a)gmail.com>
wrote:
I am trying to use printkey against a Windows XP
image and keep getting
an
error when I use printkey. I have also provided
the commands I used for
hivescan and hivelist which work great but printkey does not. Does
anyone
have any suggestions as to why. I initially
thought it was because it
was
SP3 so I ran the same plugins against the
xp-laptop-2005-06-25.img that
was
suggested to use in Brendan's guide but I get
the same results. Anyone
have
any thoughts as to why???
Mark Morgan
702-942-2556
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
Offset (hex)
181006344 0xac9f008
181033824 0xaca5b60
189972488 0xb52c008
202671368 0xc148508
544586592 0x2075bb60
642878304 0x26518b60
643895304 0x26611008
678736920 0x2874b418
740933640 0x2c29c008
742706016 0x2c44cb60
789179232 0x2f09eb60
798029088 0x2f90f520
1107776776 0x42075508
1874516240 0x6fbad910
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008
Address Name
0xe6348910 \Documents and Settings\144553\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
0xe8287508 \WINDOWS\system32\config\systemprofile\Local
Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1895520 \Documents and Settings\LocalService\Local
Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
0xe1396008 \Documents and Settings\NetworkService\Local
Settings\Application
Data\Microsoft\Windows\UsrClass.dat
0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
0xe4f8eb60 \WINDOWS\system32\config\SAM
0xe77b9b60 \WINDOWS\system32\config\SECURITY
0xe77cd008 \WINDOWS\system32\config\SOFTWARE
0xe77ca418 \WINDOWS\system32\config\DEFAULT
0xe18b6008 [no name]
0xe1035b60 \WINDOWS\system32\config\SYSTEM
0xe102e008 [no name]
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60
Key name: [9252] (Stable)
Last updated: Wed Jul 29 02:08:26 2009
Subkeys:
Traceback (most recent call last):
File "./volatility", line 219, in <module>
main()
File "./volatility", line 215, in main
command.execute()
File "memory_plugins/registry/printkey.py", line 97, in execute
for s in subkeys(key):
File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py",
line
144, in subkeys
s.is_valid() and s.Signature == NK_SIG]
AttributeError: 'int' object has no attribute 'is_valid'
morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
Image Type: Service Pack 3
VM Type: pae
DTB: 0x33e000
Datetime: Tue Aug 04 11:02:35 2009
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 5.1 KB)