I've been using Volatility to try to carve out the addressable memory for an application from a memory dump, and I don't seem to be getting any output. Basically I'm trying to find data (text) that was available to a specific program (notepad).
The memory dump is from an XP SP2, and the PID of the process I am targeting is 4932 so I tried
> python.exe volatility memdmp -f memorydump.dd -p 4932
but I didn't get any output. It just chugged away for quite a while and then finished without giving any output at all.
I ran Strings against the dump as well, and was able to extract the text I am looking for, so I know it's in the dump file. This is just a test, not a real case, but I would like at the end of it all to be able to come up with a technique that will allow me to extract data such as chats from memory dumps.
Also, I'm using Python 2.5 and Volatility 1.3 (I had some problems with other combinations). FDPro was used for the memory dump.
Any suggestions?
The memdmp command shouldn't produce any output to stdout, but should write a file 4932.dmp containing the memory dump.
If this isn't working, get strings to report the byte offset into the file for the item you're interested in, then use memmap (-p 4932) to see if your process had that physical page mapped.