ikelos
commented
3 years ago Hiya @KevinK24
If the file isn't compressed, .json will work, if it's xz compressed, then it needs to be .json.xz. For linux files, the file name isn't important, but windows the JSON files have a specific name. There is some documentation about the naming conventions at https://volatility3.readthedocs.io/en/latest/symbol-tables.html#how-volatility-finds-symbol-tables
You can check whether volatility has correctly identified the JSON file, by locating it with the output of isfinfo. If you can't find the file in there, then it hasn't been detected. That will also tell you the banner that it's found, and that banner must match exactly with the image you're expecting it to be used on. If the banner isn't present then the JSON file wasn't generated correctly, and if it is but doesn't match the kernel of the image, then it also won't work (you can check if it did find it by using -vvv when running vol.py. If it doesn't say that it matched a banner (and tell you the banner) then the two didn't match.
As to the Encase file format, I'm afraid we don't have a handler for that file format. it sounds as though it's got a header that looks like an LZ compression, and so the mime-type attempts to decompress it, but even if it has decompressed, we wouldn't be able to read the data inside it appropriately.
Since I've answered the first question, I'm going to retitle the issue as an enhancement request for Encase EX support. We'll leave this open so we don't forget that someone wants it (and so that others can potentially work on it). I'm afraid I don't know where encase support fits into our priorities, but without samples it's going to be less likely to get done soon I'm afraid...
KevinK24
iMHLv2
Hello, I'm sorry if this isn't the appropriate place - I couldn't find anywhere else that seemed appropriate. Two use questions