-
I was trying to analyze a mac memory sample using the following command:
```
$ python vol.py -vvvvvv -f /data.lime mac.pslist.PsList
```
The debug output stopped at:
```
Level 6 volatilit…
ilch1 updated
5 years ago
-
WIn10 14393 changed the path structure of the registry. The current method of walking the ParentKCB members ends up duplicating the hive name (i.e., "SYSTEM", "SOFTWARE", etc. show up twice). One o…
-
Haven't investigated why yet, but the crash is below. I'm not sure if it has anything to do with me not specifying a key, and/or hive offset yet, but:
```
$ python3 vol.py --single-location "file…
-
Seen on `win10-x86-1607-14393.lime` with `ntkrpamp/9619274AA03341AFACF0F40A6DFACA90-1`
```
5604 576 TrustedInstall 0x8c8f7c40 8 - 0 False 2016-09-11 10:18:09.000000 N/A
5644 664 TiWorker.exe 0…
-
Hiya,
I'm not sure if this is just a one-off for this kernel, or something deeper, but the main error is `Struct has no attribute: nt_symbols1!_MMVAD_FLAGS1.PrivateMemory` and the kernel in use is …
-
Something, is broken in the way that we are recursing registry keys. I'm not sure if it's the recursion itself, or just the way the registry key path is appended just yet. For example:
```
2017-…