11:22 a.m.
I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I
try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security &
Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure
prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation
interdites sans permission. Si reçu par erreur, prière d'aller au
www.td.com/francais/avis_juridique pour des instructions.
12:24 p.m.
Armet,
What was your full command line used to produce the hang? If you'd like to
try an older version of volatility, that would be a good idea as well - the
2.1 and 2.0 releases are available here:
http://code.google.com/p/volatility/downloads/list.
Thanks,
MHL
On Tue, Aug 14, 2012 at 11:22 AM, Armet, Lee <Lee.Armet(a)td.com> wrote:
I imaged a live Win7 32bit system 3gb just now with
both ftkimager and
winen and when I try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global
Security & Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
NOTICE: Confidential message which may be privileged. Unauthorized
use/disclosure prohibited. If received in error, please go to
www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié.
Utilisation/divulgation interdites sans permission. Si reçu par erreur,
prière d'aller au www.td.com/francais/avis_juridique pour des
instructions.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:33 p.m.
It turns out I am just impatient! I waited at least ten minutes and nothing. However to
answer your question:
Vol.py -f /cases/memdump.mem imageinfo > 1.imaginfo
I do it this way so I know what modules I've run and in which order.
Thanks, Michael.
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security &
Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Tuesday, August 14, 2012 12:24 PM
To: Armet, Lee
Cc: Vol-users(a)volatilesystems.com <Vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Problem with 2.2_alpha
Armet,
What was your full command line used to produce the hang? If you'd like to try an
older version of volatility, that would be a good idea as well - the 2.1 and 2.0 releases
are available here: http://code.google.com/p/volatility/downloads/list.
Thanks,
MHL
On Tue, Aug 14, 2012 at 11:22 AM, Armet, Lee
<Lee.Armet@td.com<mailto:Lee.Armet@td.com>> wrote:
I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I
try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security &
Investigations | TD Bank Group
T: (416) 982-6855<tel:%28416%29%20982-6855> | M: (647)
242-0002<tel:%28647%29%20242-0002>
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure
prohibited. If received in error, please go to
www.td.com/legal<http://www.td.com/legal> for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation
interdites sans permission. Si reçu par erreur, prière d'aller au
www.td.com/francais/avis_juridique<http://www.td.com/francais/avis_jurid… pour
des instructions.
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com>
http://lists.volatilesystems.com/mailman/listinfo/vol-users
12:39 p.m.
Word.
The purpose of imageinfo is you help you pick a profile to use for an
unknown memory dump. Since you already know its Win7 32bit you can just
supply --profile=Win7SP0x86 (or Win7SP1x86) and everything will be super
quick.
MHL
On Tue, Aug 14, 2012 at 12:33 PM, Armet, Lee <Lee.Armet(a)td.com> wrote:
It turns out I am just impatient! I waited at least
ten minutes and
nothing. However to answer your question:
Vol.py -f /cases/memdump.mem imageinfo > 1.imaginfo
I do it this way so I know what modules I've run and in which order.
Thanks, Michael.
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global
Security & Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
*From*: Michael Hale Ligh [mailto:michael.hale@gmail.com]
*Sent*: Tuesday, August 14, 2012 12:24 PM
*To*: Armet, Lee
*Cc*: Vol-users(a)volatilityfoundation.org <Vol-users(a)volatilityfoundation.org>
*Subject*: Re: [Vol-users] Problem with 2.2_alpha
Armet,
What was your full command line used to produce the hang? If you'd like to
try an older version of volatility, that would be a good idea as well - the
2.1 and 2.0 releases are available here:
http://code.google.com/p/volatility/downloads/list.
Thanks,
MHL
On Tue, Aug 14, 2012 at 11:22 AM, Armet, Lee <Lee.Armet(a)td.com> wrote:
I imaged a live Win7 32bit system 3gb just now
with both ftkimager and
winen and when I try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global
Security & Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
NOTICE: Confidential message which may be privileged. Unauthorized
use/disclosure prohibited. If received in error, please go to
www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié.
Utilisation/divulgation interdites sans permission. Si reçu par erreur,
prière d'aller au www.td.com/francais/avis_juridique pour des
instructions.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
1:19 p.m.
I'm just conditioned to do imageinfo first, all the time. You'd think I got paid
by the hour (I don't - just do the same thing every time.
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security &
Investigations | TD Bank Group
T: (416) 982-6855 | M: (647) 242-0002
From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Tuesday, August 14, 2012 12:39 PM
To: Armet, Lee
Cc: Vol-users(a)volatilesystems.com <Vol-users(a)volatilesystems.com>
Subject: Re: [Vol-users] Problem with 2.2_alpha
Word.
The purpose of imageinfo is you help you pick a profile to use for an unknown memory dump.
Since you already know its Win7 32bit you can just supply --profile=Win7SP0x86 (or
Win7SP1x86) and everything will be super quick.
MHL
On Tue, Aug 14, 2012 at 12:33 PM, Armet, Lee
<Lee.Armet@td.com<mailto:Lee.Armet@td.com>> wrote:
It turns out I am just impatient! I waited at least ten minutes and nothing. However to
answer your question:
Vol.py -f /cases/memdump.mem imageinfo > 1.imaginfo
I do it this way so I know what modules I've run and in which order.
Thanks, Michael.
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security &
Investigations | TD Bank Group
T: (416) 982-6855<tel:%28416%29%20982-6855> | M: (647)
242-0002<tel:%28647%29%20242-0002>
From: Michael Hale Ligh
[mailto:michael.hale@gmail.com<mailto:michael.hale@gmail.com>]
Sent: Tuesday, August 14, 2012 12:24 PM
To: Armet, Lee
Cc: Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com>
<Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com>>
Subject: Re: [Vol-users] Problem with 2.2_alpha
Armet,
What was your full command line used to produce the hang? If you'd like to try an
older version of volatility, that would be a good idea as well - the 2.1 and 2.0 releases
are available here: http://code.google.com/p/volatility/downloads/list.
Thanks,
MHL
On Tue, Aug 14, 2012 at 11:22 AM, Armet, Lee
<Lee.Armet@td.com<mailto:Lee.Armet@td.com>> wrote:
I imaged a live Win7 32bit system 3gb just now with both ftkimager and winen and when I
try to analyse the ram vol just hangs and hangs.
The memory acquisition seemed to complete without error.
Should I use an older version of vol?
Regards,
Lee Armet | Senior Investigator, Forensic Technology Services| Global Security &
Investigations | TD Bank Group
T: (416) 982-6855<tel:%28416%29%20982-6855> | M: (647)
242-0002<tel:%28647%29%20242-0002>
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure
prohibited. If received in error, please go to
www.td.com/legal<http://www.td.com/legal> for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation
interdites sans permission. Si reçu par erreur, prière d'aller au
www.td.com/francais/avis_juridique<http://www.td.com/francais/avis_jurid… pour
des instructions.
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com<mailto:Vol-users@volatilesystems.com>
http://lists.volatilesystems.com/mailman/listinfo/vol-users
4475
days inactive
4475
days old
vol-users@lists.volatilityfoundation.org
4 comments
2 participants
participants (2)
-
Armet, Lee -
Michael Hale Ligh