search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

Error when using VOLATILITY_LOCATION enviromental variable #302

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. export VOLATILITY_LOCATION=/full/path/image.file
2. vol.py imageinfo
3.

What is the expected output? What do you see instead?
Expect to have the imageinfo plugin run, etc

What version of the product are you using? On what operating system?
Vol 2.1RC1 on Ubuntu 12 LTS, image is a 2008R2SP1x64 VMSS file

Please provide any additional information below.
root@Forensic-1:/case2/mem# vol.py --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_rc1
Offset(P)          Name                PID   PPID PDB                Time 
created         Time exited
------------------ ---------------- ------ ------ ------------------ 
-------------------- --------------------
No suitable address space mapping found  
Tried to open image as:
 WindowsHiberFileSpace32: No base Address Space
 WindowsCrashDumpSpace64: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space 
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Location is not of file scheme

root@Forensic-1:/case2/mem# echo $VOLATILITY_LOCATION
/case2/mem/myimage.vmss
root@Forensic-1:/case2/mem# unset VOLATILITY_LOCATION
root@Forensic-1:/case2/mem# vol.py --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_rc1
ERROR   : __main__            : Please specify a location (-l) or filename (-f)
root@Forensic-1:/case2/mem# vol.py --dtb=0x187000 -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_rc1
Offset(P)          Name                PID   PPID PDB                Time 
created         Time exited
------------------ ---------------- ------ ------ ------------------ 
-------------------- --------------------
0x0000000006107040 System                4      0 0x0000000000187000 2012-04-12 
07:14:16
0x0000000006139b30 residentagent.     1248   1132 0x0000000128a0e000 2012-04-12 
07:16:03
0x00000000061ba900 msdtc.exe          2164    484 0x00000001199a8000 2012-04-12 
07:16:37
<snip>

Original issue reported on code.google.com by jessebow...@gmail.com on 17 Jul 2012 at 2:13

GoogleCodeExporter commented 9 years ago 
Hey Jesse, 

The VOLATILITY_LOCATION is a little different than the other environment 
variables in that you have to prefix the path with file:///. That's to enable 
the loading of files from other locations besides the local file system (like 
url:/// or whatever). Also see the wiki entry: 
http://code.google.com/p/volatility/wiki/BasicUsage21#Environment_Variables

Can you give that a shot and see if it works?

Original comment by michael.hale@gmail.com on 17 Jul 2012 at 3:34

GoogleCodeExporter commented 9 years ago 
Duh! That was it; sorry for jumping to conclusions!

Original comment by jessebow...@gmail.com on 17 Jul 2012 at 6:00

GoogleCodeExporter commented 9 years ago 
No problem, thanks again for helping us test stuff ;-)

Original comment by michael.hale@gmail.com on 17 Jul 2012 at 8:40