[Vol-users] Error when using Printkey

Mark Morgan mark.morgan47 at gmail.com
Tue Jan 26 18:58:54 CST 2010


I do not have the beta branch.  Where do you get that version?

Mark


On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette at gmail.com> wrote:

> Mark,
>  Are you getting the same bug with the 1.4beta branch?  We have
> rewritten much of the object framework. It looks like its passing an
> int rather than an object somewhere here.
>
> Michael.
>
> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <mark.morgan47 at gmail.com>
> wrote:
> > I am trying to use printkey against a Windows XP image and keep getting
> an
> > error when I use printkey.  I have also provided the commands I used for
> > hivescan and hivelist which work great but printkey does not.  Does
> anyone
> > have any suggestions as to why.  I initially thought it was because it
> was
> > SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that
> was
> > suggested to use in Brendan's guide but I get the same results.  Anyone
> have
> > any thoughts as to why???
> >
> >
> > Mark Morgan
> > 702-942-2556
> >
> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
> >
> > Offset (hex)
> >
> > 181006344 0xac9f008
> >
> > 181033824 0xaca5b60
> >
> > 189972488 0xb52c008
> >
> > 202671368 0xc148508
> >
> > 544586592 0x2075bb60
> >
> > 642878304 0x26518b60
> >
> > 643895304 0x26611008
> >
> > 678736920 0x2874b418
> >
> > 740933640 0x2c29c008
> >
> > 742706016 0x2c44cb60
> >
> > 789179232 0x2f09eb60
> >
> > 798029088 0x2f90f520
> >
> > 1107776776 0x42075508
> >
> > 1874516240 0x6fbad910
> >
> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008
> >
> > Address Name
> >
> > 0xe6348910 \Documents and Settings\144553\Local Settings\Application
> > Data\Microsoft\Windows\UsrClass.dat
> >
> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
> >
> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local
> Settings\Application
> > Data\Microsoft\Windows\UsrClass.dat
> >
> > 0xe1895520 \Documents and Settings\LocalService\Local
> Settings\Application
> > Data\Microsoft\Windows\UsrClass.dat
> >
> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
> >
> > 0xe1396008 \Documents and Settings\NetworkService\Local
> Settings\Application
> > Data\Microsoft\Windows\UsrClass.dat
> >
> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
> >
> > 0xe4f8eb60 \WINDOWS\system32\config\SAM
> >
> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY
> >
> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
> >
> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT
> >
> > 0xe18b6008 [no name]
> >
> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM
> >
> > 0xe102e008 [no name]
> >
> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60
> >
> > Key name: [9252] (Stable)
> >
> > Last updated: Wed Jul 29 02:08:26 2009
> >
> > Subkeys:
> >
> > Traceback (most recent call last):
> >
> > File "./volatility", line 219, in <module>
> >
> > main()
> >
> > File "./volatility", line 215, in main
> >
> > command.execute()
> >
> > File "memory_plugins/registry/printkey.py", line 97, in execute
> >
> > for s in subkeys(key):
> >
> > File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py",
> line
> > 144, in subkeys
> >
> > s.is_valid() and s.Signature == NK_SIG]
> >
> > AttributeError: 'int' object has no attribute 'is_valid'
> >
> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
> >
> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
> >
> > Image Type: Service Pack 3
> >
> > VM Type: pae
> >
> > DTB: 0x33e000
> >
> > Datetime: Tue Aug 04 11:02:35 2009
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20100126/1e538882/attachment-0001.html


More information about the Vol-users mailing list