I have a virtual machine that I use to investigate suspected malicious files. Today I managed to infect my test bed to examine the activity of the malware.
My next step was to analyse memory for any activity within that. My idea was to simply suspend the VM and copy the. vmem file across to my SIFT forensic VM and use Volatility against it.
when I run volume.py -f image.vmem imageinfo, it returns a profile potential for Win7SP1x64 and a few others. I then try using pstree, pslist etc against the image using one of the above identified images but volatility immediately throws an attribute error and to run a KGBD scan to detect the appropriate profile.
I cannot for the life of me figure out what is going wrong. Has anyone experienced this with vmem files?
My last resort is to do a memory dump but was kinda hoping the suspended memory file would have worked.
Regards
Andy
It would help if you could post the version of volatility that you are using.
If you're using the SVN version, then use svn infoOtherwise the following should be good enoughvol.py -h
It may well be that you're using an old version of Volatility (I'm unsure which version is bundled in SIFT)? You might be able to update this by running 'svn update' in the relevant Volatility source code directory?
I was also a little confused, I've always used 'vol.py' (or 'python vol.py' if I've not installed the code) to run Volatility, but perhaps this was just a typo in the original post or is a SIFT thing?
You can certainly collect memory samples in the manner you are describing. This is something I've done in the past and a good number of the Malware Analysts Cookbook samples have also been collected in this way.
BTW, you might also find it productive to post your query to the
Thanks for the reply I'm using v2.2. I will post in that forum as well but will wait until tomorrow and post the full error message.
Well my resolution was to create a memory dump from within the Virtual Machine. I have a feeling that Volatility might not support VMWare 8 vmem files but will need to talk to the developers.