I do not have the beta branch. Where do you get that version? Mark On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette(a)gmail.com> wrote:

Michael thanks for the info. I got past that little problem but have one problem when I am processing the image using the regripper through volatility. I downloaded the latest volreg and volrip into the latest svn version. I ran the following command: root@morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl rip.pl -r /home/morgan/Memory\Images\PhysicalMemory.bin@0xe1035b60 -f system And I get the following errror: Traceback (most recent call last): File "<string>", line 1, in <module> ImportError: No module named vtypes Error -- py_eval raised an exception at rip.pl line 21. Have I left something out or am I simply missing a step?/ Mark On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen &lt;scudette(a)gmail.com&gt; wrote:

Michael I fixed the directory structure but now I am getting segmentation fault. morgan/Memory\ Images/PhysicalMemory.bin@0xe1035b60 -f system Parsed Plugins file. Launching compname v.20080324 Segmentation fault Mark On Wed, Jan 27, 2010 at 10:01 AM, Michael Hale Ligh &lt;michael.hale(a)gmail.com&gt;wrote:

Brendan I went and downloaded the Volatility1.3.2 version using svn and reloaded all the plugins from there to include the regripper plugins. I can get the printkey to work but the rip.pl still gives me a segmentation fault. I have included all the errors I have received based on the advice given: root@morgan-laptop:/digitalforensics/Volatility-1.3.2# perl rip.pl -r /home/morgan/Memory\ Images/xp-laptop-2005-06-25.img@0xe1035b60 -f system Parsed Plugins file. Launching compname v.20080324 Segmentation fault root@morgan-laptop:/digitalforensics/Volatility-1.3.2# gdb perl GNU gdb (GDB) 7.0-ubuntu Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i486-linux-gnu". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/bin/perl...(no debugging symbols found)...done. (gdb) r rip.pl -r /home/morgan/Memory Images/PhysicalMemory.bin@0xe1035b60-f system Starting program: /usr/bin/perl rip.pl -r /home/morgan/Memory Images/PhysicalMemory.bin@0xe1035b60 -f system [Thread debugging using libthread_db enabled] Parsed Plugins file. Launching compname v.20080324 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in compname: Error -- PyObject_CallObject(...) failed. compname complete. ---------------------------------------- Launching shutdown v.20080324 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in shutdown: Error -- PyObject_CallObject(...) failed. shutdown complete. ---------------------------------------- Launching shutdowncount v.20080709 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in shutdowncount: Error -- PyObject_CallObject(...) failed. shutdowncount complete. ---------------------------------------- Launching timezone v.20080324 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in timezone: Error -- PyObject_CallObject(...) failed. timezone complete. ---------------------------------------- Launching termserv v.20080418 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in termserv: Error -- PyObject_CallObject(...) failed. termserv complete. ---------------------------------------- Launching mountdev v.20080324 mountdev v.20080324 Get MountedDevices key information from the System hive file. Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in mountdev: Error -- PyObject_CallObject(...) failed. mountdev complete. ---------------------------------------- Launching network v.20080324 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in network: Error -- PyObject_CallObject(...) failed. network complete. ---------------------------------------- Launching nic_mst2 v.20080324 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in nic_mst2: Error -- PyObject_CallObject(...) failed. nic_mst2 complete. ---------------------------------------- Launching fw_config v.20080328 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in fw_config: Error -- PyObject_CallObject(...) failed. fw_config complete. ---------------------------------------- Launching usbstor v.20080418 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in usbstor: Error -- PyObject_CallObject(...) failed. usbstor complete. ---------------------------------------- Launching devclass v.20080331 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in devclass: Error -- PyObject_CallObject(...) failed. devclass complete. ---------------------------------------- Launching ide v.20080418 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in ide: Error -- PyObject_CallObject(...) failed. ide complete. ---------------------------------------- Launching shares v.200800420 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in shares: Error -- PyObject_CallObject(...) failed. shares complete. ---------------------------------------- Launching svc v.20080610 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in svc: Error -- PyObject_CallObject(...) failed. svc complete. ---------------------------------------- Launching imagedev v.20080730 Error: Python error occurred: Traceback (most recent call last): File "regwrap.py", line 49, in __init__ fname,hive_addr = filename.rsplit('@',1) ValueError: need more than 1 value to unpack Error in imagedev: Error -- PyObject_CallObject(...) failed. imagedev complete. ---------------------------------------- Program exited normally. (gdb) bt No stack. (gdb) exit Undefined command: "exit". Try "help". (gdb) ^CxQuit (gdb) quit I also provided a complete listing of my Volatility directory to include sub-directories for you. Attached as a txt doc. Any help will be appreciated. Mark On Wed, Jan 27, 2010 at 10:22 PM, Brendan Dolan-Gavitt < bdolangavitt(a)wesleyan.edu&gt; wrote: > Hi, > As far as I know VolRip does not currently work with 1.4. It was developed > for 1.3, and should be working on that version. I've seen two things cause > the error you saw originally: > 1. Not having the volreg tarball unpacked correctly. In particular, make > sure memory_objects/Windows/registry.py exists. > 2. Several months ago, there was a bug in 1.3 that prevented custom object > behaviors from working correctly, which could also cause the error you saw. > If you happened to pull a version from SVN at that point, you could run into > trouble. > Could you try the following? > 1. Get the latest version of 1.3: > svn checkout http://volatility.googlecode.com/svn/trunk/Volatility > 2. Unpack VolReg into the Volatility directory > 3. Unpack VolRip into the Volatility directory > 4. Run the following on the xp-laptop-2005-06-25.img image (available from > NIST): > python volatility printkey -o 0xe1035b60 -f > /home/moyix/mem-images/xp-laptop-2005-06-25.img > You should get a listing of the keys in the SYSTEM hive. If any of these > steps fail, write back and let me know where and how, and we can go from > there. > Thanks, > Brendan Dolan-Gavitt > On Jan 27, 2010, at 1:12 PM, Mark Morgan wrote: > Michael I fixed the directory structure but now I am getting segmentation > fault. > morgan/Memory\ Images/PhysicalMemory.bin@0xe1035b60 -f system > Parsed Plugins file. > Launching compname v.20080324 > Segmentation fault > Mark > On Wed, Jan 27, 2010 at 10:01 AM, Michael Hale Ligh < > michael.hale(a)gmail.com&gt; wrote: >> Hey Mark, >>> Do you have the following directory structure? >>> $VOLHOME/volatility >> $VOLHOME/rip.pl >> $VOLHOME/vtypes.py >> $VOLHOME/rrplugins >> $VOLHOME/regwrap.py >>> vtypes.py should be in the same directory as rip.pl but according to your >> output, rip.pl can't find vtypes.py. >>> MHL >>> On Wed, Jan 27, 2010 at 12:53 PM, Mark Morgan &lt;mark.morgan47(a)gmail.com&gt;wrote: >>>> Michael thanks for the info. I got past that little problem but have one >>> problem when I am processing the image using the regripper through >>> volatility. I downloaded the latest volreg and volrip into the latest svn >>> version. I ran the following command: >>>>> root@morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl rip.pl-r /home/morgan/Memory\Images\PhysicalMemory.bin@0xe1035b60-f system >>>>> And I get the following errror: >>>>>>> Traceback (most recent call last): >>> File "<string>", line 1, in <module>>> ImportError: No module named vtypes >>> Error -- py_eval raised an exception at rip.pl line 21. >>>>> Have I left something out or am I simply missing a step?/ >>>>> Mark >>>>>>>>>>>>> On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen &lt;scudette(a)gmail.com&gt;wrote: >>>>>> Mark, >>>> The following will check out all branches (including experimental): >>>>>>> svn checkout http://volatility.googlecode.com/svn/ volatility >>>>>>> Michael. >>>>>>> On Wed, Jan 27, 2010 at 11:58 AM, Mark Morgan &lt;mark.morgan47(a)gmail.com>>>> wrote: >>>> > I do not have the beta branch. Where do you get that version? >>>> >>>> > Mark >>>> >>>> >>>> > On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen &lt;scudette(a)gmail.com>>>> wrote: >>>> >>>>> >> Mark, >>>> >> Are you getting the same bug with the 1.4beta branch? We have >>>> >> rewritten much of the object framework. It looks like its passing an >>>> >> int rather than an object somewhere here. >>>> >>>>> >> Michael. >>>> >>>>> >> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan < >>>> mark.morgan47(a)gmail.com>>>> >> wrote: >>>> >> > I am trying to use printkey against a Windows XP image and keep >>>> getting >>>> >> > an >>>> >> > error when I use printkey. I have also provided the commands I >>>> used for >>>> >> > hivescan and hivelist which work great but printkey does not. Does >>>> >> > anyone >>>> >> > have any suggestions as to why. I initially thought it was because >>>> it >>>> >> > was >>>> >> > SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img >>>> that >>>> >> > was >>>> >> > suggested to use in Brendan's guide but I get the same results. >>>> Anyone >>>> >> > have >>>> >> > any thoughts as to why??? >>>> >> >>>> >> >>>> >> > Mark Morgan >>>> >> > 702-942-2556 >>>> >> >>>> >> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ >>>> ./volatility >>>> >> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin >>>> >> >>>> >> > Offset (hex) >>>> >> >>>> >> > 181006344 0xac9f008 >>>> >> >>>> >> > 181033824 0xaca5b60 >>>> >> >>>> >> > 189972488 0xb52c008 >>>> >> >>>> >> > 202671368 0xc148508 >>>> >> >>>> >> > 544586592 0x2075bb60 >>>> >> >>>> >> > 642878304 0x26518b60 >>>> >> >>>> >> > 643895304 0x26611008 >>>> >> >>>> >> > 678736920 0x2874b418 >>>> >> >>>> >> > 740933640 0x2c29c008 >>>> >> >>>> >> > 742706016 0x2c44cb60 >>>> >> >>>> >> > 789179232 0x2f09eb60 >>>> >> >>>> >> > 798029088 0x2f90f520 >>>> >> >>>> >> > 1107776776 0x42075508 >>>> >> >>>> >> > 1874516240 0x6fbad910 >>>> >> >>>> >> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ >>>> ./volatility >>>> >> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o >>>> 0xac9f008 >>>> >> >>>> >> > Address Name >>>> >> >>>> >> > 0xe6348910 \Documents and Settings\144553\Local >>>> Settings\Application >>>> >> > Data\Microsoft\Windows\UsrClass.dat >>>> >> >>>> >> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT >>>> >> >>>> >> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local >>>> >> > Settings\Application >>>> >> > Data\Microsoft\Windows\UsrClass.dat >>>> >> >>>> >> > 0xe1895520 \Documents and Settings\LocalService\Local >>>> >> > Settings\Application >>>> >> > Data\Microsoft\Windows\UsrClass.dat >>>> >> >>>> >> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT >>>> >> >>>> >> > 0xe1396008 \Documents and Settings\NetworkService\Local >>>> >> > Settings\Application >>>> >> > Data\Microsoft\Windows\UsrClass.dat >>>> >> >>>> >> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT >>>> >> >>>> >> > 0xe4f8eb60 \WINDOWS\system32\config\SAM >>>> >> >>>> >> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY >>>> >> >>>> >> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE >>>> >> >>>> >> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT >>>> >> >>>> >> > 0xe18b6008 [no name] >>>> >> >>>> >> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM >>>> >> >>>> >> > 0xe102e008 [no name] >>>> >> >>>> >> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ >>>> ./volatility >>>> >> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o >>>> 0xe1035b60 >>>> >> >>>> >> > Key name: [9252] (Stable) >>>> >> >>>> >> > Last updated: Wed Jul 29 02:08:26 2009 >>>> >> >>>> >> > Subkeys: >>>> >> >>>> >> > Traceback (most recent call last): >>>> >> >>>> >> > File "./volatility", line 219, in <module>>>> >> >>>> >> > main() >>>> >> >>>> >> > File "./volatility", line 215, in main >>>> >> >>>> >> > command.execute() >>>> >> >>>> >> > File "memory_plugins/registry/printkey.py", line 97, in execute >>>> >> >>>> >> > for s in subkeys(key): >>>> >> >>>> >> > File >>>> "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py", >>>> >> > line >>>> >> > 144, in subkeys >>>> >> >>>> >> > s.is_valid() and s.Signature == NK_SIG] >>>> >> >>>> >> > AttributeError: 'int' object has no attribute 'is_valid' >>>> >> >>>> >> > morgan@morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ >>>> ./volatility >>>> >> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin >>>> >> >>>> >> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin >>>> >> >>>> >> > Image Type: Service Pack 3 >>>> >> >>>> >> > VM Type: pae >>>> >> >>>> >> > DTB: 0x33e000 >>>> >> >>>> >> > Datetime: Tue Aug 04 11:02:35 2009 >>>> >> >>>> >> > _______________________________________________ >>>> >> > Vol-users mailing list >>>> >> > Vol-users(a)volatilityfoundation.org >>>> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>> >> >>>> >> >>>> >>>> >>>>>>>>>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>>>> _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Mark, AFAIK the regripper stuff was written for use with vol1.3 branch. I dont know if it works with 1.4 beta. We converted the basic functions to vol1.4 - i.e. you can look at keys, list them etc, but im not sure about the perl/python interface - i suspect thats what causing the segfault. I think I was toying with the notion of writing regripper in python but I was not that motivated :-) To make sure what is crashing, run gdb perl then type "r rip.pl -r /home/morgan/Memory\Images\PhysicalMemory.bin@0xe1035b60 -f system" to run it. when it segfaults you can type bt to show a backtrace or dump core. which unfortunately stemmed from basic design flaws in perl and so probably that would never be more useful than a mere toy POC. The biggest problem I think was that perl has this stupid concept of a function called in list or string context which allows it to behave completely differently in each case. When binding a normal language to perl code it is impossible to predict which context the perl function expects to get called in and how to map that to a normal function call. There might have been other problems im not sure. Hope this helps, Michael. On Thu, Jan 28, 2010 at 4:53 AM, Mark Morgan &lt;mark.morgan47(a)gmail.com&gt; wrote: