I have windows 7 X64, 8G memeory, after i use dumpit, i get a memory dump file 123.dmp, then i use volatility -f 123.dmp -pslist, it gives me below error anyone how to correct?
Alignment of WindowsCrashDumpSpace64 is too small
No suitable address space mapping found
Tried to open image as
MachOAddressSpace mac need base
LimeAddressSpace lime need base
WindowsHiberFileSpace32 No base Address Space
WindowsCrashDumpSpace64 No base Address Space
HPAKAddressSpace No base Address Space
VirtualBoxCoreDumpElf64 No base Address Space
VMWareSnapshotFile No base Address Space
WindowsCrashDumpSpace32 No base Address Space
AMD64PagedMemory No base Address Space
IA32PagedMemoryPae No base Address Space
IA32PagedMemory No base Address Space
MachOAddressSpace MachO Header signature invalid
LimeAddressSpace Invalid Lime header signature
WindowsHiberFileSpace32 No xpress signature found
MachOAddressSpace - EXCEPTION integer division or modulo by zero
LimeAddressSpace - EXCEPTION integer division or modulo by zero
WindowsHiberFileSpace32 - EXCEPTION integer division or modulo by zero
WindowsCrashDumpSpace64 - EXCEPTION integer division or modulo by zero
HPAKAddressSpace Invalid magic found
Not 100% sure, but based on the command you posted, you haven't given it a profile
First run python vol.py -f image imageinfo
and then since it's win7 you're probably going to be using this profile
python vol.py -f image –profile=Win7SP1x64 pslist
Not 100% sure, but based on the command you posted, you haven't given it a profile
And in general, you have an idea what operating system that are in use in the system you are investigating even without running imageinfo.
Hi,
Im not sure, but ik think 'Dumpit' only can dump the memory of maximum 4Gb of Ram.
Try 'Belkasoft Live RAM Capturer', is a free tool, and can dump memory plus 4Gb
.
Hi,
Im not sure, but ik think 'Dumpit' only can dump the memory of maximum 4Gb of Ram.
Try 'Belkasoft Live RAM Capturer', is a free tool, and can dump memory plus 4Gb
.
I tried Belka and it didn't even work properly, i looked around for updates but the version i got from their website was the latest release.
If you use the >64-bit< version (!) of Dumpit, it will grab > 4 GB memory space.
try
https://
And in general, you have an idea what operating system that are in use in the system you are investigating even without running imageinfo.
Yeah much quicker to query the registry prior, especially when dealing with win10 since imageinfo can take a while
DumpIt can dump more than 4 GB memory.