Maybe a stupid question here but does Volatility currently support the
analysis of linux memory from a Virtual Machine?
I see that it supports VM's and Linux separately but not together?
Thanks in advance
Lou
After quickly selling out our recent course in Reston, we have now
scheduled another training there in November:
http://volatility-labs.blogspot.com/2013/06/memory-forensics-training-resto…
This course is taught directly by Volatility developers, and provides
intense training in memory forensics for incident response, malware
analysis, and digital forensic investigation.
We already have quite a few people signed up and had to turn away
people last time, so please contact us ASAP if you are interested in
taking it.
Thanks,
Andrew (@attrc)
This post is off-topic; however, there are a lot of bright people on
this list so maybe someone will be able to help. I need to set a static
ipv4 address on an interface in WinPE4.0/WinFE4.0. For example the
following command works on Windows 8:
netsh.exe interface ip set address Ethernet static 192.168.0.5
255.255.255.0
On WinPE 4.0 I am getting an error that the interface is not found which
is odd since the interface appears in the list of interfaces. For example:
netsh.exe interface ip show interfaces
and
netsh.exe interface ip show interface Ethernet
both work as expected.
I can also add a route on the interface in WinPE, e.g.:
netsh.exe interface ip add route 192.168.0.0/24 Ethernet
works. It is just adding the static ip address that doesn't work. I
have also tried using the IF index instead of the interface name; still
no joy. Unfortunately I can't use dhcp in some applications because the
client broadcasts an announcement that I am present, which wouldn't be
prudent.
I am wondering if there isn't maybe some dependency that is missing from
my winpe installation?
Anyone have any thoughts?
Regards,
George.
Hi all,
I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs.
With (say) a single ulong, the following works great:
profile.merge_overlay({
'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
})
However, the obvious generalisation to 4 ulongs:
profile.merge_overlay({
'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
})
fails. Looking at the source, the profile.merge_overlay calls:
obj.Object(['array', 4, ['unsigned long']], offset=0, ..)
and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls:
vm.profile.has_type(['array', 4, ['unsigned long']])
Attempts at using obj.Array instead also flounder.
Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled?
Many thanks,
Carl.
I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time).
While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
Thanks!
--
chort
Hi everyone,
I would like to ask you if it is possible to dump the hive file from a
memory image.
For some reason the printkey cmd does not return expected values.
In my virtualbox Windows xp sp3 image contains vboxtray.exe in the RUN key,
but I dont see it in the printkey -K
"Software\Microsoft\Windows\CurrentVersion\Run" cmd output
I am using volatility version 2.3 beta.
I want to use Windows registry recovery tool to check if it is able to get
the info I need.
Thank you
Jaro
Hello all,
First congrats on a great tool :)
I'm looking for some iso/distro to be able to do some "coldboot" testing,
and i was thinking on using LiME module.
Does anyone have done anything related to this, like a really small kernel
booting to usb, and dump the mem?
What do you guys use to do memory dumps? (on "real" systems not vm's ?)
Thanks
