It turns out I am just impatient! I waited at least ten minutes and nothing. However to answer your question: Vol.py -f /cases/memdump.mem imageinfo > 1.imaginfo I do it this way so I know what modules I've run and in which order. Thanks, Michael. Regards, Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group‬‪ T: (416) 982-6855 | M: (647) 242-0002‬‪ From: Michael Hale Ligh [mailto:michael.hale@gmail.com] Sent: Tuesday, August 14, 2012 12:24 PM To: Armet, Lee Cc: Vol-users(a)volatilesystems.com &lt;Vol-users(a)volatilesystems.com&gt; Subject: Re: [Vol-users] Problem with 2.2_alpha Armet, What was your full command line used to produce the hang? If you'd like to try an older version of volatility, that would be a good idea as well - the 2.1 and 2.0 releases are available here: http://code.google.com/p/volatility/downloads/list. Thanks, MHL On Tue, Aug 14, 2012 at 11:22 AM, Armet, Lee <Lee.Armet@td.com<mailto:Lee.Armet@td.com>> wrote: I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I try to analyse the ram vol just hangs and hangs. The memory acquisition seemed to complete without error. Should I use an older version of vol? Regards, Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group‬‪ T: (416) 982-6855<tel:%28416%29%20982-6855> | M: (647) 242-0002<tel:%28647%29%20242-0002>‬‪ NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal<http://www.td.com/legal> for instructions. AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique<http://www.td.com/francais/avis_jurid… pour des instructions. _______________________________________________ Vol-users mailing list Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com> http://lists.volatilesystems.com/mailman/listinfo/vol-users

I'm just conditioned to do imageinfo first, all the time. You'd think I got paid by the hour (I don't - just do the same thing every time. Regards, Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group‬‪ T: (416) 982-6855 | M: (647) 242-0002‬‪ From: Michael Hale Ligh [mailto:michael.hale@gmail.com] Sent: Tuesday, August 14, 2012 12:39 PM To: Armet, Lee Cc: Vol-users(a)volatilesystems.com &lt;Vol-users(a)volatilesystems.com&gt; Subject: Re: [Vol-users] Problem with 2.2_alpha Word. The purpose of imageinfo is you help you pick a profile to use for an unknown memory dump. Since you already know its Win7 32bit you can just supply --profile=Win7SP0x86 (or Win7SP1x86) and everything will be super quick. MHL On Tue, Aug 14, 2012 at 12:33 PM, Armet, Lee <Lee.Armet@td.com<mailto:Lee.Armet@td.com>> wrote: It turns out I am just impatient! I waited at least ten minutes and nothing. However to answer your question: Vol.py -f /cases/memdump.mem imageinfo > 1.imaginfo I do it this way so I know what modules I've run and in which order. Thanks, Michael. Regards, Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group‬‪ T: (416) 982-6855<tel:%28416%29%20982-6855> | M: (647) 242-0002<tel:%28647%29%20242-0002>‬‪ From: Michael Hale Ligh [mailto:michael.hale@gmail.com<mailto:michael.hale@gmail.com>] Sent: Tuesday, August 14, 2012 12:24 PM To: Armet, Lee Cc: Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com> <Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com>> Subject: Re: [Vol-users] Problem with 2.2_alpha Armet, What was your full command line used to produce the hang? If you'd like to try an older version of volatility, that would be a good idea as well - the 2.1 and 2.0 releases are available here: http://code.google.com/p/volatility/downloads/list. Thanks, MHL On Tue, Aug 14, 2012 at 11:22 AM, Armet, Lee <Lee.Armet@td.com<mailto:Lee.Armet@td.com>> wrote: I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I try to analyse the ram vol just hangs and hangs. The memory acquisition seemed to complete without error. Should I use an older version of vol? Regards, Lee Armet | Senior Investigator, Forensic Technology Services| Global Security & Investigations | TD Bank Group‬‪ T: (416) 982-6855<tel:%28416%29%20982-6855> | M: (647) 242-0002<tel:%28647%29%20242-0002>‬‪ NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal<http://www.td.com/legal> for instructions. AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller au www.td.com/francais/avis_juridique<http://www.td.com/francais/avis_jurid… pour des instructions. _______________________________________________ Vol-users mailing list Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com> http://lists.volatilesystems.com/mailman/listinfo/vol-users