Closed GoogleCodeExporter closed 8 years ago
I found part of the problem. Apparently the --plugins= argument wants a fully
qualified path, but it still doesn't work:
$ vola --plugins=/cygdrive/d/volatility-read-only/contrib/plugins -f *E01
imageinfo
Volatility Foundation Volatility Framework 2.3.1
*** Failed to import volatility.plugins.malware.zeusscan (ImportError: No
module named zeusscan)
*** Failed to import volatility.plugins.malware.poisonivy (ImportError: No
module named poisonivy)
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : FileAddressSpace (/cygdrive/f/x.E01)
PAE type : No PAE
Original comment by johnmcca...@gmail.com
on 14 Jan 2014 at 5:18
how did you install libewf? Can you try to copy contrib/plugins/aspaces/ewf.py
into volatility/plugins/addrspaces/ and use without the --plugins= option?
otherwise if you already have encase, you can just mount the memory sample as
described in [1].
[1]
http://volatility-labs.blogspot.com/2013/10/sampling-ram-across-encase-enterpris
e.html
Original comment by jamie.l...@gmail.com
on 14 Jan 2014 at 9:20
Jamie,
As to libewf installation, I just typed:
./configure --enable-python
make
make install
All the binaries appear to be in place, and, for example, ewfinfo gives correct
results for my test image.
I tried copying ewf.py over to the specified folder and running it without
--plugins, but I get essentially the same results
I'm able to dump out the memory image to a dd-style image with Encase and
analyze it that way just fine.
What specific pieces of libewf is Volatility trying to use? Do you know if it
needs fuse? That particular piece isn't supported under cygwin.
Thanks
Original comment by johnmcca...@gmail.com
on 15 Jan 2014 at 3:21
Thanks for the info. Which version of libewf did you download? I need to see
if I can duplicate the problem and I think there are some versions that might
give problems, IIRC.
Yeah, the dd-style memory sample should work fine. I was trying to save you
the trouble by showing that you could just mount it through EnCase instead.
Original comment by jamie.l...@gmail.com
on 15 Jan 2014 at 3:30
I downloaded the libewf source from
https://googledrive.com/host/0B3fBvzttpiiSMTdoaVExWWNsRjg/libewf-20131230.tar.gz
That's the most recent non-experimental link from the page referenced by the
downloads link on http://code.google.com/p/libewf/
Original comment by johnmcca...@gmail.com
on 15 Jan 2014 at 7:58
out of curiosity, were these files compressed also?
Original comment by jamie.l...@gmail.com
on 7 Mar 2014 at 4:47
Original comment by jamie.l...@gmail.com
on 7 Mar 2014 at 4:48
Issue 480 has been merged into this issue.
Original comment by jamie.l...@gmail.com
on 7 Mar 2014 at 4:48
I think they were. Unfortunately, I've moved on to a new position, and no
longer have the specific samples I was testing with.
Original comment by johnmcca...@gmail.com
on 10 Mar 2014 at 7:20
No worries. Thanks for letting us know. If it's really an issue with
compression, we can create files for testing and see if those fail as well.
Original comment by jamie.l...@gmail.com
on 10 Mar 2014 at 7:26
I ran into this issue today using Ubuntu 12.04 and libewf-20140427. I was able
to fix it by recompiling libewf with the "--enable-v1-api" configure flag.
Running volatility 2.3.1 was successful against a compressed E01.
Original comment by thr...@gmail.com
on 28 Apr 2014 at 5:17
Original comment by jamie.l...@gmail.com
on 20 Nov 2014 at 8:27
Original issue reported on code.google.com by
johnmcca...@gmail.com
on 14 Jan 2014 at 5:05