Forums
Main Category
General (Technical,...
dumpit can't b...
 
Notifications
Clear all

dumpit can't be analyzed in volatility framework

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Aquachimere 7 years ago
8 Posts
5 Users
0 Reactions
5,625 Views
RSS
 jolintan
(@jolintan)
Trusted Member
Joined: 7 years ago
Posts: 32
Topic starter 15/09/2018 9:19 am  

I have windows 7 X64, 8G memeory, after i use dumpit, i get a memory dump file 123.dmp, then i use volatility -f 123.dmp -pslist, it gives me below error anyone how to correct?

Alignment of WindowsCrashDumpSpace64 is too small
No suitable address space mapping found
Tried to open image as
MachOAddressSpace mac need base
LimeAddressSpace lime need base
WindowsHiberFileSpace32 No base Address Space
WindowsCrashDumpSpace64 No base Address Space
HPAKAddressSpace No base Address Space
VirtualBoxCoreDumpElf64 No base Address Space
VMWareSnapshotFile No base Address Space
WindowsCrashDumpSpace32 No base Address Space
AMD64PagedMemory No base Address Space
IA32PagedMemoryPae No base Address Space
IA32PagedMemory No base Address Space
MachOAddressSpace MachO Header signature invalid
LimeAddressSpace Invalid Lime header signature
WindowsHiberFileSpace32 No xpress signature found
MachOAddressSpace - EXCEPTION integer division or modulo by zero
LimeAddressSpace - EXCEPTION integer division or modulo by zero
WindowsHiberFileSpace32 - EXCEPTION integer division or modulo by zero
WindowsCrashDumpSpace64 - EXCEPTION integer division or modulo by zero
HPAKAddressSpace Invalid magic found


   
Quote
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
15/09/2018 10:00 am  

Not 100% sure, but based on the command you posted, you haven't given it a profile

First run python vol.py -f image imageinfo

and then since it's win7 you're probably going to be using this profile

python vol.py -f image –profile=Win7SP1x64 pslist


   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
15/09/2018 11:27 am  

Not 100% sure, but based on the command you posted, you haven't given it a profile

And in general, you have an idea what operating system that are in use in the system you are investigating even without running imageinfo.


   
ReplyQuote
 Dimi
(@dimi)
Active Member
Joined: 8 years ago
Posts: 13
15/09/2018 5:48 pm  

Hi,

Im not sure, but ik think 'Dumpit' only can dump the memory of maximum 4Gb of Ram.

Try 'Belkasoft Live RAM Capturer', is a free tool, and can dump memory plus 4Gb
.


   
ReplyQuote
MDCR
 MDCR
(@mdcr)
Reputable Member
Joined: 15 years ago
Posts: 376
15/09/2018 9:36 pm  

Hi,

Im not sure, but ik think 'Dumpit' only can dump the memory of maximum 4Gb of Ram.

Try 'Belkasoft Live RAM Capturer', is a free tool, and can dump memory plus 4Gb
.

I tried Belka and it didn't even work properly, i looked around for updates but the version i got from their website was the latest release.

If you use the >64-bit< version (!) of Dumpit, it will grab > 4 GB memory space.


   
ReplyQuote
 Dimi
(@dimi)
Active Member
Joined: 8 years ago
Posts: 13
15/09/2018 10:44 pm  

try

https://www.magnetforensics.com/free-tool-magnet-ram-capture/


   
ReplyQuote
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
15/09/2018 11:42 pm  

And in general, you have an idea what operating system that are in use in the system you are investigating even without running imageinfo.

Yeah much quicker to query the registry prior, especially when dealing with win10 since imageinfo can take a while


   
ReplyQuote
 Aquachimere
(@aquachimere)
Eminent Member
Joined: 7 years ago
Posts: 32
21/09/2018 1:15 pm  

DumpIt can dump more than 4 GB memory.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: