Notifications
Clear all

dumpit can't be analyzed in volatility framework

8 Posts
5 Users
0 Likes
4,589 Views
(@jolintan)
Posts: 32
Trusted Member
Topic starter
 

I have windows 7 X64, 8G memeory, after i use dumpit, i get a memory dump file 123.dmp, then i use volatility -f 123.dmp -pslist, it gives me below error anyone how to correct?

Alignment of WindowsCrashDumpSpace64 is too small
No suitable address space mapping found
Tried to open image as
MachOAddressSpace mac need base
LimeAddressSpace lime need base
WindowsHiberFileSpace32 No base Address Space
WindowsCrashDumpSpace64 No base Address Space
HPAKAddressSpace No base Address Space
VirtualBoxCoreDumpElf64 No base Address Space
VMWareSnapshotFile No base Address Space
WindowsCrashDumpSpace32 No base Address Space
AMD64PagedMemory No base Address Space
IA32PagedMemoryPae No base Address Space
IA32PagedMemory No base Address Space
MachOAddressSpace MachO Header signature invalid
LimeAddressSpace Invalid Lime header signature
WindowsHiberFileSpace32 No xpress signature found
MachOAddressSpace - EXCEPTION integer division or modulo by zero
LimeAddressSpace - EXCEPTION integer division or modulo by zero
WindowsHiberFileSpace32 - EXCEPTION integer division or modulo by zero
WindowsCrashDumpSpace64 - EXCEPTION integer division or modulo by zero
HPAKAddressSpace Invalid magic found

 
Posted : 15/09/2018 8:19 am
(@randomaccess)
Posts: 385
Reputable Member
 

Not 100% sure, but based on the command you posted, you haven't given it a profile

First run python vol.py -f image imageinfo

and then since it's win7 you're probably going to be using this profile

python vol.py -f image –profile=Win7SP1x64 pslist

 
Posted : 15/09/2018 9:00 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Not 100% sure, but based on the command you posted, you haven't given it a profile

And in general, you have an idea what operating system that are in use in the system you are investigating even without running imageinfo.

 
Posted : 15/09/2018 10:27 am
 Dimi
(@dimi)
Posts: 13
Active Member
 

Hi,

Im not sure, but ik think 'Dumpit' only can dump the memory of maximum 4Gb of Ram.

Try 'Belkasoft Live RAM Capturer', is a free tool, and can dump memory plus 4Gb
.

 
Posted : 15/09/2018 4:48 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Hi,

Im not sure, but ik think 'Dumpit' only can dump the memory of maximum 4Gb of Ram.

Try 'Belkasoft Live RAM Capturer', is a free tool, and can dump memory plus 4Gb
.

I tried Belka and it didn't even work properly, i looked around for updates but the version i got from their website was the latest release.

If you use the >64-bit< version (!) of Dumpit, it will grab > 4 GB memory space.

 
Posted : 15/09/2018 8:36 pm
 Dimi
(@dimi)
Posts: 13
Active Member
 

try

https://www.magnetforensics.com/free-tool-magnet-ram-capture/

 
Posted : 15/09/2018 9:44 pm
(@randomaccess)
Posts: 385
Reputable Member
 

And in general, you have an idea what operating system that are in use in the system you are investigating even without running imageinfo.

Yeah much quicker to query the registry prior, especially when dealing with win10 since imageinfo can take a while

 
Posted : 15/09/2018 10:42 pm
(@aquachimere)
Posts: 32
Eminent Member
 

DumpIt can dump more than 4 GB memory.

 
Posted : 21/09/2018 12:15 pm
Share: