Abyss-W4tcher
commented
2 months ago Hi, could you provide us with a -vvvvvvvvv debug run, to see if any info comes out here ?
Open MaxFuwin opened 2 months ago
Abyss-W4tcher
commented
2 months ago Hi, could you provide us with a -vvvvvvvvv debug run, to see if any info comes out here ?
MaxFuwin
commented
2 months ago is it looks like this? Python3 vol.py -f memory_dump.raw windows.info -v?
Abyss-W4tcher
commented
2 months ago more like : Python3 vol.py -f memory_dump.raw -vvvvvvvvvv windows.info
MaxFuwin
commented
2 months ago
now it looks like these:
Abyss-W4tcher
commented
2 months ago Alright, could you try running :
python3 vol.py -f memory_dump.raw -vvvvvvvvvv --clear-cache windows.info It seems there is a problem with the cache directory.
MaxFuwin
commented
2 months ago Abyss-W4tcher
commented
2 months ago Instead of taking screenshots, could you provide the entire output as a text please ?
MaxFuwin
commented
2 months ago volatility3error.txt I'm sorry that might take some of your time, the error is quite long
Abyss-W4tcher
commented
2 months ago This issue is quite similar to https://github.com/volatilityfoundation/volatility3/issues/1226, please check it out and tell us if it fixes it for you too.
MaxFuwin
commented
2 months ago emmm,it seems like volatility 3.0 is not supporting Win11 memory dumps, when I tested Win10 memory dump i got the result, by the way thanks for spending time help me to solve this issue.
Abyss-W4tcher
commented
2 months ago Have you tried changing the cache path to a writable directory ?
For now, it seems he error relates only to a permission problem.
MaxFuwin
commented
2 months ago According to my several tests, I tried to scan the memory image from Windows 7, 10 and 11 some of the image have successfully scanned
This is one of a success example for windows 10:
but some of the image didn't, Is volatility 3 doesn't support some of the version?
Abyss-W4tcher
commented
2 months ago Yes, Volatility3 supports Windows11.
Would you be able to provide a run with :
python3 vol.py -f memory_dump.raw -vvvvvvvvvv --cache-path C:\Users\username\Downloads\test_volatility3_cache\ windows.info
You will need to create the directory C:\Users\username\Downloads\test_volatility3_cache\ beforehand, while replacing username with your Windows username.
This would help to determine if the cache permission is faulty or if it is indeed a support problem.
MaxFuwin
commented
2 months ago According to my tests
Windows system versions supported by volatility3: Volatility 3 Framework 2.7.1
Python3 volatility3/vol.py-f xx.raw windows.info # test command.
Support for windows7 Professional Edition (7600) Support for windows10 Professional Edition 1607 (14393.447)
Windows7 sp1 Ultimate Edition is not supported (7601) Windows10 Professional Edition 1809 (17763.437) is not supported Windows11 Professional 23H2 (22631.4037) is not supported Windows11 Professional 24H2 (26100.1591) is not supported
ikelos
commented
2 months ago Hiya, did you ever try @Abyss-W4tcher 's test?
It would be running the following against one of the images that wasn't working:
mkdir D:\volatility3\cache
python3 volatility3/vol.py -vvvvvvv -f E:\xx.raw --cache-path D:\volatility3\cache windows.infoIf will create a lot of output, but it should tell us whether it's just a file permission issue (which it looks like) or something else...
Hi I am currently running a image file I used the code: python3 -f mem.raw windows.info And it shows these error codes:
Unsatisfied requirement plugins.Hashdump.kernel.symbol_table_name:
A symbol table requirement was not fulfilled. Please verify that: The associated translation layer requirement was fulfilled You have the correct symbol file for the requirement The symbol file is under the correct directory or zip file The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Hashdump.kernel.symbol_table_name'] Did I missed installing any essential API for this tool? MaxFuwin