When I run "volatility -f MyImageName.mem kdbgscan", the results include multiple OS Profile suggestions. Each Profile lists Instantiating KDBG using:" I do not see anything identify the correct Profile to include in the commands that require a specific Profile name. Thank you.
SteveAreno
When I run "volatility -f MyImageName.mem kdbgscan", the results include multiple OS Profile suggestions. Each Profile lists Instantiating KDBG using:" I do not see anything identify the correct Profile to include in the commands that require a specific Profile name. Thank you.
SteveAreno
Hi,
Normaly you have to choose the first profil given by the command imageinfo or kdbgscan.
Â
Hi,
you can also try Volatility 3 which is in my experience way more precise than Vol2 when it comes to determining the correct profile (windows.info plugin, Major/Minor line, the second number is the RTM build version).
As an alternative you can do the same with Trufflepig Nexus (demo version for up to 5 GiB images), just analyze the image and take a look at "System Information".
Â
Cheers
Chris
Â
That sounds logical; I will compare the first two values using different .mem files. Thank you.
On my Ubuntu 20.04 PC, I used "apt-get install volatility." I downloaded Volatility 3 and will try to install it when I am that PC. Thank you.
Â