11:53 a.m.
Hey all,
So far I am unable to get hivedump to work specifying an offset in
either interactive or non-interactive mode:
Offset(V) Offset(P) Name
0xe1036b60 0x4948ab60
\Device\HarddiskVolume1\Windows\system32\config\SYSTEM @ 0xe1036b60
./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump -o
0xe1036b60
**************************************************
Hive -
Last Written Key
------------------------ ---
ERROR:root:Error: invalid literal for int() with base 10: 'x'
ERROR:root:invalid literal for int() with base 10: 'x'. Try --debug for
more information.
Not specifying an offset works however:
./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump
**************************************************
Hive \Device\HarddiskVolume1\Documents and Settings\ACS\NTUSER.DAT @
0xe1452b60
Last Written Key
------------------------ ---
2013-04-10 18:32:35+0000
CMILoadedHive-{D6ED518C-64C9-49F9-A016-8B8A7E2C051E}/AppEvents
...
Any hints on what I could be doing wrong? Thank you.
James
2:41 p.m.
Hi James,
Thanks for testing. The hivedump plugin was not accepting hex encoded
offsets (integers would have probably worked) so it got confused by the
0xe1036b60.
I have just pushed a fix that makes it also accept offsets in hex which
should fix the issue.
Thanks,
Michael
On 15 April 2013 17:53, James Lay <jlay(a)slave-tothe-box.net> wrote:
Hey all,
So far I am unable to get hivedump to work specifying an offset in either
interactive or non-interactive mode:
Offset(V) Offset(P) Name
0xe1036b60 0x4948ab60 \Device\HarddiskVolume1\**Windows\system32\config\SYSTEM
@ 0xe1036b60
./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump -o
0xe1036b60
****************************************************
Hive -
Last Written Key
------------------------ ---
ERROR:root:Error: invalid literal for int() with base 10: 'x'
ERROR:root:invalid literal for int() with base 10: 'x'. Try --debug for
more information.
Not specifying an offset works however:
./vol.py --profile=WinXPSP3x86 -f ../20130412-194645.raw hivedump
****************************************************
Hive \Device\HarddiskVolume1\**Documents and Settings\ACS\NTUSER.DAT @
0xe1452b60
Last Written Key
------------------------ ---
2013-04-10 18:32:35+0000 CMILoadedHive-{D6ED518C-64C9-**
49F9-A016-8B8A7E2C051E}/**AppEvents
...
Any hints on what I could be doing wrong? Thank you.
James
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
3:44 p.m.
On 2013-04-15 12:41, Michael Cohen wrote:
Hi James,
Thanks for testing. The hivedump plugin was not accepting hex
encoded offsets (integers would have probably worked) so it got
confused by the 0xe1036b60.
I have just pushed a fix that makes it also accept offsets in hex
which should fix the issue.
Thanks,
Michael
Thanks for the quick fix Michael. Is it on:
https://code.google.com/p/volatility/downloads/list
yet? Thanks again.
James
3:26 a.m.
Hiya James,
It looks like you're providing the offset in hex format, but from the
error message, it appears it's expecting the offset value to be in
decimal. I'd try converting the value and seeing whether that helps or
not...
Mike 5:)
4231
days inactive
4231
days old
vol-users@lists.volatilityfoundation.org
3 comments
3 participants
participants (3)
-
James Lay -
Michael Cohen -
Mike Auty