Can't get hashdump to work in 1.4

[GoogleCodeExporter]

Hi!

I have a xpsp2.img for testing. I can't get the hashdump to work with 1.4. 
Probably no "issue"... just me doing this wrong...
I'm using Win7 64 on my computer.

Using Vol 1.3:
python volatility hashdump -y %SYSTEMHIVE% -s %SAMHIVE% -f xpsp2.img 
>C:\Result.txt
No problem, the useraccounts are in the textfile.

Output with 1.3:
C:\Volatility-1.3_Beta\forensics\win32\crashdump.py:31: DeprecationWarning: the 
sha module is deprecated; use the hashlib module instead   import sha
C:\Python26\lib\site-packages\Crypto\Hash\MD5.py:6: DeprecationWarning: the md5 
module is deprecated; use hashlib instead
from md5 import *
And then all the useraccounts are displayed...

Using Vol 1.4:
python vol.py hashdump --profile=WinXPSP2x86 -y %SYSTEMHIVE% -s %SAMHIVE% -f 
xpsp2.img >C:\Result2.txt
Will not work. The file is empty.
If I don't direct the output to a textfile it still doesn't work. 

Output with 1.4: 
Volatile Systems Volatility Framework 1.4_rc1
C:\Python26\lib\site-packages\Crypto\Hash\MD5.py:6: DeprecationWarning: the md5 
module is deprecated; use hashlib instead  from md5 import *

Thanks!

//Nanna

Original issue reported on code.google.com by nanna.pe...@gmail.com on 9 Apr 2011 at 3:23

[GoogleCodeExporter]

Hi Nanna,

I'm having difficulty recreating your problem.  Can you please run the 
following command with your xpsp2.img (note the -d -d), and attach the output 
to this issue?  Hopefully that will help us track down the problem:

python vol.py -d -d hashdump --profile=WinXPSP2x86 -y %SYSTEMHIVE% -s %SAMHIVE% 
-f xpsp2.img

Also, could you please provide the output from the following, and specify which 
values you used for %SYSTEMHIVE% and %SAMHIVE%:

python vol.py -d -d hivelist --profile=WinXPSP2x86 -f xpsp2.img

That should tell us whether it's properly detecting the hives.  Thanks...

Original comment by mike.auty@gmail.com on 10 Apr 2011 at 9:14

[GoogleCodeExporter]

Hi!

I've attached the info you requested. 
The hives that I used are in bold red. 

I've also tried with one other RAM-dump. That was also a XPSP2-dump. (A 
dd-image) The same problem occurred when I was using 1.4. 

Thanks again!

Original comment by nanna.pe...@gmail.com on 10 Apr 2011 at 1:23

Attachments:

• [Issue 101.docx](https://storage.googleapis.com/google-code-attachments/volatility/issue-101/comment-2/Issue 101.docx)

[GoogleCodeExporter]

Hi Nanna,

Thanks very much for that output, it looks as though you're using the physical 
addresses for the two hives, rather than their virtual addresses.  I know that 
1.4 requires the virtual addresses of the hives, and I believe 1.3 uses them 
too.  You should find that 1.3 will fail when using the offsets you marked in 
red on the same image.

Could you please try the following command:

python vol.py hashdump --profile=WinXSPSP2x86 -y 0xe1035b60 -s 0xe165cb60 -f 
xpsp2.img

That should be using the virtual offsets, and ought to give you some output.

Please let us know both if that solves it, or if it doesn't, so that we can 
close the bug or investigate further.  Thanks...  5:)

Original comment by mike.auty@gmail.com on 10 Apr 2011 at 2:04

[GoogleCodeExporter]

I've tried both the virtual and the physical... 1000 times... and now that you 
told me to try again it worked... 

I blame it on... well loss of brainfunction... or hmm...

It works anyway! So I'm happy! : )
I was right about one thing though. "Probably no "issue"... just me doing this 
wrong..."  : )

Thanks again!

Original comment by nanna.pe...@gmail.com on 10 Apr 2011 at 6:57

[GoogleCodeExporter]

Hehehe,

No problem, glad we could help.  I've added in an error message when it has a 
problem determining usernames and passwords, so at least now you won't be 
confronted with no text.  Marking this as Done.  5:)

Original comment by mike.auty@gmail.com on 10 Apr 2011 at 7:06

• Changed state: Done