Hello everyone, i dumped my RAM using bambiraptor ( it uses Belkasoft Live Ram Capturer at low level to dump the memory ) into a .dmp file. Now i want to analyze it with volatility plugins but everything fails, the imageinfo, the KDBG command to search profile,etc. The RAM dumped is from a windows 10 creators version and i'm using the standalone_x64_2.6.exe volatility version.
When i execute the command it show searching for profile ….. but it never give back an answer. I hope you can help me.
Hello everyone, i dumped my RAM using bambiraptor ( it uses Belkasoft Live Ram Capturer at low level to dump the memory ) into a .dmp file. Now i want to analyze it with volatility plugins but everything fails, the imageinfo, the KDBG command to search profile,etc. The RAM dumped is from a windows 10 creators version and i'm using the standalone_x64_2.6.exe volatility version.
When i execute the command it show searching for profile ….. but it never give back an answer. I hope you can help me.
It seems a similar issue as the one described here
https://www.forensicfocus.com/Forums/viewtopic/t=15498/
The main issue should be related to either the dump format or about the correct profile (if available)
https://
jaclaz
Thx Jaclaz, i checked that post but the problem there was that the winpmen execution was wrong in a windows 10 environment. But this time, i'm using Belkasoft software and i want to check the profile to create an automatized method so the profile can't be typed by me manually, it isn't my target.
Thx and i hope you can help me more or give me another reference to find help.
Thx Jaclaz, i checked that post but the problem there was that the winpmen execution was wrong in a windows 10 environment. But this time, i'm using Belkasoft software and i want to check the profile to create an automatized method so the profile can't be typed by me manually, it isn't my target.
Yes and no. 😯
Meaning that yes, strictly it was a winpmem peculiarity/bug/feature/whatever, but no, more broadly it was the capturing tool *somehow* making a dump in a format that volatility could not understand.
And AmNe5iA (who is usually very accurate in his reports ) ) stated how the same (bad) behaviour could be due to using an incorrect profile.
So, if I were you, I would try another tool to make the dump (if possible) and double check the profile.
Or make another dump of *any* machine both with winpmem (with the "right" command) and with the tool you use and compare the results in volatility, again making sure to choose the appropriate profile.
jaclaz
I had a similar issue with the standalone.
I downloaded the latest version off the github and ran it using Python. I dont think the standalone comes with all of the profiles.
I had a similar issue with the standalone.
I downloaded the latest version off the github and ran it using Python. I dont think the standalone comes with all of the profiles.
Yep randomaccess, that was the problem, i downloaded the branch from github and used the right profile and it worked, how much time does it take to u? some plugins run really slow on my memory to get data u.u is that normal?