[Vol-users] Error with 2.4 Debian Wheezy
mclinden at informed.net
Sat Sep 27 06:59:23 CDT 2014
It turns out that it was an error with the memory allocated to the VM.
I had allocated 2G (the VMWare default was 512M) and the memory image was almost 4G. When I increased the VM RAM to 8G everything worked.
Lucky my host has 64G RAM!
----- Original Message -----
From: "Michael Ligh" <michael.ligh at mnin.org>
To: "Sean McLinden" <mclinden at informed.net>
Cc: "Volatility Users" <vol-users at volatilityfoundation.org>
Sent: Friday, September 26, 2014 11:16:20 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Vol-users] Error with 2.4 Debian Wheezy
It seems very strange that you’d get a different number of processes with each run. Coupled with the IOError and the path being /mnt/hgfs (VMware host to guest), I would try to first rule out something weird with VMware Tools data transfer. Can you copy the memory dump into your virtual machine and run Volatility against the local file?
Michael Ligh (@iMHLv2)
On Sep 25, 2014, at 8:57 AM, Sean McLinden <mclinden at informed.net> wrote:
> I just build a VM with Debian (I needed to install other packages) and when I run this on a memory image I get the following (after about 10 minutes). The pslist.txt file is partially populated though how far it gets differs with each run.
> The box is Windows 7 Enterprise SP 1. The image was acquired using FTK. The box is believed to be infected with malware.
> user at host:/mnt/hgfs/288A-LV-2810395/Workspace/QJK1/memory# vol.py pslist > pslist.txt
> Volatility Foundation Volatility Framework 2.4
> Traceback (most recent call last):
> File "/usr/local/bin/vol.py", line 192, in <module>
> File "/usr/local/bin/vol.py", line 183, in main
> File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 127, in execute
> func(outfd, data)
> File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/taskmods.py", line 178, in render_text
> str(task.ExitTime or ''),
> File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 219, in table_row
> outfd.write(self.tablesep.join(reslist) + "\n")
> IOError: [Errno 22] Invalid argument
> Thanks for any help.
> Sean McLinden
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
NOTICE of CONFIDENTIALITY and DISCLAIMER
This transmission, including attachments, is confidential. It may also be privileged or otherwise protected by work product immunity or other legal rules. If you have received it by mistake, please let us know by e-mail to the sender, only, and delete it from your system; you may not copy this message or disclose its contents to anyone.
Unless expressly noted, above, this communication does not reflect an intention by the sender to conduct a transaction or make any agreement by electronic means. Nothing contained in this transmission shall constitute a contract or electronic signature under the ESIGN, any version of the UETA, or any other statute governing electronic transactions.
If this transmission contains advice, the advice is based on instructions in relation to, and is provided to the addressee in connection with, the matter mentioned above. Responsibility is not accepted for reliance upon it by any other person or for any other purpose.
More information about the Vol-users