[Vol-users] Error when using Printkey

Mark Morgan mark.morgan47 at gmail.com
Tue Jan 26 16:19:55 CST 2010


I am trying to use printkey against a Windows XP image and keep getting an
error when I use printkey.  I have also provided the commands I used for
hivescan and hivelist which work great but printkey does not.  Does anyone
have any suggestions as to why.  I initially thought it was because it was
SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that was
suggested to use in Brendan's guide but I get the same results.  Anyone have
any thoughts as to why???


Mark Morgan
702-942-2556

  morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin


 Offset (hex)

181006344 0xac9f008

181033824 0xaca5b60

189972488 0xb52c008

202671368 0xc148508

544586592 0x2075bb60

642878304 0x26518b60

643895304 0x26611008

678736920 0x2874b418

740933640 0x2c29c008

742706016 0x2c44cb60

789179232 0x2f09eb60

798029088 0x2f90f520

1107776776 0x42075508

1874516240 0x6fbad910


 morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008

Address Name

0xe6348910 \Documents and Settings\144553\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat

0xebe6e508 \Documents and Settings\144553\NTUSER.DAT

0xe8287508 \WINDOWS\system32\config\systemprofile\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat

0xe1895520 \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat

0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT

0xe1396008 \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat

0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT

0xe4f8eb60 \WINDOWS\system32\config\SAM

0xe77b9b60 \WINDOWS\system32\config\SECURITY

0xe77cd008 \WINDOWS\system32\config\SOFTWARE

0xe77ca418 \WINDOWS\system32\config\DEFAULT

0xe18b6008 [no name]

0xe1035b60 \WINDOWS\system32\config\SYSTEM

0xe102e008 [no name]


 morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60


 Key name: [9252] (Stable)

Last updated: Wed Jul 29 02:08:26 2009

 Subkeys:

Traceback (most recent call last):

File "./volatility", line 219, in <module>

main()

File "./volatility", line 215, in main

command.execute()

File "memory_plugins/registry/printkey.py", line 97, in execute

for s in subkeys(key):

File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py", line
144, in subkeys

s.is_valid() and s.Signature == NK_SIG]

AttributeError: 'int' object has no attribute 'is_valid'


 morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin

Image Name: /home/morgan/Memory Images/PhysicalMemory.bin

Image Type: Service Pack 3

VM Type: pae

DTB: 0x33e000

Datetime: Tue Aug 04 11:02:35 2009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20100126/4ee4e0a8/attachment.html


More information about the Vol-users mailing list