search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.15k stars 1.27k forks source link

Win2012 Issue #607

Closed larmet26 closed 5 years ago

larmet26 commented 5 years ago

Encountering a problem parsing memory from a Windows2012 server. Kernel version listed at bottom of message.

vol.py pslist

Volatility Foundation Volatility Framework 2.6 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space VMotionMigrationAddressSpace: VMotionMigration requires a base WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space QemuCoreDumpElf: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space Win10AMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space

or

vol.py imageinfo

Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space VMotionMigrationAddressSpace: VMotionMigration requires a base WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VMWareMetaAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space QemuCoreDumpElf: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space Win10AMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space FileAddressSpace: Location is not of file scheme ArmAddressSpace: No base Address Space

My kernel is: 6.2.9200.22707

atcuno commented 5 years ago

Could you please list the command line that you used to run Volatility?

Also, how did you acquire memory?

and are you using the latest version from github source?

larmet26 commented 5 years ago

Hey Andrew,

I figured it out. I was using the latest version from github. It was just taking a lot longer than anticipated. Also, the memory was acquired using Encase Enterprise.

Thanks for following up.

Regards,

Lee S. Armet | Incident Response & Forensics | Security Operations Centre | Royal Bank of Canada T: 416.974.1161 | C: 416.795-3763 | lee.armet@rbc.commailto:lee.armet@rbc.com |155 Wellington Street – 5th Floor, Toronto, Ontario M5V 3K7

From: Andrew Case [mailto:notifications@github.com] Sent: 2019, May, 21 3:29 PM To: volatilityfoundation/volatility volatility@noreply.github.com Cc: Armet, Lee lee.armet@rbc.com; Author author@noreply.github.com Subject: Re: [volatilityfoundation/volatility] Win2012 Issue (#607)

Could you please list the command line that you used to run Volatility?

Also, how did you acquire memory?

and are you using the latest version from github source?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/volatilityfoundation/volatility/issues/607?email_source=notifications&email_token=AHAL2FL7QU233AAYY6UH5ETPWREOBA5CNFSM4HNPFHKKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV45YNQ#issuecomment-494525494, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AHAL2FNYZKRQ4NW5C7BNGTDPWREOBANCNFSM4HNPFHKA. If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.

RBC collects information from you and your device, including through use of cookies, in order to improve your digital experience and measure the effectiveness of RBC digital channels. Additional information may be found here https://www.rbc.com/privacysecurity/ca/online-privacy.html.

Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.

RBC recueille des renseignements fournis par vous et par votre appareil, de même que par l’utilisation de témoins, dans le but d’améliorer votre expérience numérique et de mesurer l’efficacité de nos canaux numériques. Vous pouvez obtenir des renseignements supplémentaires