Andrew Case

Hello, Volatility does support that version. Try using --profile=Win10x64_18362 and see if you get better results. Also, how was memory acquired?

Are you on the latest github checkout? That profile has been included for quite a while now.

It appears that you created a profile for a different kernel than the one used to acquire with lime. You have: insmod lime-5.3.0-53-generic.ko "path=/home/anhtm/linux64.mem format=lime" and then: zip volatility/plugins/overlays/linux/Ubuntu_5.3.0-51-generic_profile.zip tools/linux/module.dwarf...

Looking at: ``` PsActiveProcessHead : 0xfffff8050ac38b60 (1 processes) PsLoadedModuleList : 0xfffff8050ac48170 (1 modules) ``` it appears that the linked list of modules and processes each only have 1 process found....

These plugins are not fully up to date with the latest operating system versions and would require a good bit of new research to accomplish that. It is on our...

1) How was memory acquired? 2) If you just want the profile name to use, try using kdbgscan instead. imageinfo runs about 7 plugins, including kdbgscan, to generate its output.

@fpusersuggest if the error you received was a large backtrace related to address spaces, then you likely have the wrong profile. Volatility took this long to backtrace as it was...

Are you still unable to create a profile?

With the exception of old systems with FireWire and no DMA protection, Volatility is a tool for analysis only. Can you please list the following: 1) The OS version of...

Hey, There is not currently a plugin that does this, but you could make a new one that covered it. The strings plugin is able to map physical addresses to...