Closed or4gevi closed 2 months ago
Hi there, Volatility can only dump the files it can identify from the memory image provided. There's no guarantee that all files you requested will be present in memory, or that the structures needed to find them will be present. If there's a specific file that you expected dumpfiles to be able to extract and can show that it's accessible through the technique that dumpfiles uses to locate the files it extracts, then we can investigate that bug, but the output you provided makes no mention of files that couldn't be recovered (nor any that could), so it's unclear that volatility isn't operating as expected. If you could provide more information as to why you believe volatility should have been able to determine the contents of a specific file from memory then we can investigate further... 5:)
This issue is stale because it has been open for 200 days with no activity.
Hi there, Volatility can only dump the files it can identify from the memory image provided. There's no guarantee that all files you requested will be present in memory, or that the structures needed to find them will be present. If there's a specific file that you expected dumpfiles to be able to extract and can show that it's accessible through the technique that dumpfiles uses to locate the files it extracts, then we can investigate that bug, but the output you provided makes no mention of files that couldn't be recovered (nor any that could), so it's unclear that volatility isn't operating as expected. If you could provide more information as to why you believe volatility should have been able to determine the contents of a specific file from memory then we can investigate further... 5:)
I've encountered the same issue. So, how can I proceed to export this file? After such a long time, is the domain database file still unrecognized? Do I need to send you an example of this file? Thank you.
It's not about the type of file actually recorded there, it's about identifying the structure recording the information about the file. It turns out the technique volatility uses to find these files is different between the two plugins. The filescan
plugin uses the poolscanner to hunt for entries, the dumpfiles looks for file handles to dump the contents of. As such, entries found in filescan may not be files the can be retrieved by dumpfiles. @iMHLv2 may be able to explain the difference a little better, and let us know if it would be possible to add a --dump
option to the filescan plugin, but there's no guarantee the contents of the file are present in memory just because the entry is found in a pool.
This issue is stale because it has been open for 200 days with no activity.
This issue was closed because it has been inactive for 60 days since being marked as stale.
Describe the bug A clear and concise description of what the bug is. vCenter suspended the VM. Downloaded the VMEM file (16gb) and attempted to use Volatility3. The windows.dumpfiles plugin cannot dump all the files I want to dump.Some files can be dumped, some files cannot be dumped
Context Volatility Version: 3 Suspected Operating System: Windows Server 2016 10.0.14393
To Reproduce Steps to reproduce the behavior:
Command: $ python3 vol.py -vvv -f xx.vmem windows.info
$ python3 vol.py -vvv -f xx.vmem windows.filescan.FileScan |grep ntds.dit
python3 vol.py -vvv -f xx.vmem windows.dumpfiles.DumpFiles --virtaddr 0xd10ac0648430