[Vol-users] Error with 2.4 Debian Wheezy

Michael Ligh michael.ligh at mnin.org
Fri Sep 26 22:16:20 CDT 2014


Hi Sean, 

It seems very strange that you’d get a different number of processes with each run. Coupled with the IOError and the path being /mnt/hgfs (VMware host to guest), I would try to first rule out something weird with VMware Tools data transfer. Can you copy the memory dump into your virtual machine and run Volatility against the local file? 

MHL

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com

On Sep 25, 2014, at 8:57 AM, Sean McLinden <mclinden at informed.net> wrote:

> 
> I just build a VM with Debian (I needed to install other packages) and when I run this on a memory image I get the following (after about 10 minutes). The pslist.txt file is partially populated though how far it gets differs with each run.
> 
> The box is Windows 7 Enterprise SP 1. The image was acquired using FTK. The box is believed to be infected with malware.
> 
> user at host:/mnt/hgfs/288A-LV-2810395/Workspace/QJK1/memory# vol.py pslist > pslist.txt
> Volatility Foundation Volatility Framework 2.4
> Traceback (most recent call last):
>  File "/usr/local/bin/vol.py", line 192, in <module>
>    main()
>  File "/usr/local/bin/vol.py", line 183, in main
>    command.execute()
>  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute
>    func(outfd, data)
>  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/taskmods.py", line 178, in render_text
>    str(task.ExitTime or ''),
>  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 219, in table_row
>    outfd.write(self.tablesep.join(reslist) + "\n")
> IOError: [Errno 22] Invalid argument
> 
> Thanks for any help.
> 
> Sean McLinden
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140926/a47aec1c/signature.bin


More information about the Vol-users mailing list