dsplice
commented
3 years ago It appears there is not a memory profile for 18895. I am having the same issue with a Windows 2012 R2 server that has a build number of 19968.
Open vijayakumarcfis opened 3 years ago
dsplice
commented
3 years ago It appears there is not a memory profile for 18895. I am having the same issue with a Windows 2012 R2 server that has a build number of 19968.
Hi,
I am trying to analyse a memory image pertaining to a Windows 2012 R2 system (Product version: 6.3.9600.18895), but unable to parse it.
I have used both Linux (v2.6.1) and Windows (v2.6) versions of Volatility and tried out all available profiles for Windows 2012.
Imageinfo didn't suggest/instantiated with any profile and Kdbgscan returned no output/results.
Also, I acquired the memory twice and the results were the same. So, I presume the memory images are not corrupted.
Here is the pslist output:
No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VMWareMetaAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space VMWareAddressSpace: No base Address Space QemuCoreDumpElf: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64BitMap: Header signature invalid WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VMWareMetaAddressSpace: VMware metadata file is not available VirtualBoxCoreDumpElf64: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0x0 QemuCoreDumpElf: ELF Header signature invalid WindowsCrashDumpSpace32: Header signature invalid SkipDuplicatesAMD64PagedMemory: No valid DTB found WindowsAMD64PagedMemory: No valid DTB found LinuxAMD64PagedMemory: Incompatible profile Win2012R2x64 selected AMD64PagedMemory: No valid DTB found IA32PagedMemoryPae: Incompatible profile Win2012R2x64 selected IA32PagedMemory: Incompatible profile Win2012R2x64 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: No valid DTB found
Kindly help.