billuk21
billuk21
Wow, thanks for your prompt response. The LSAdump plugin doesn't work as well and it prints the same error. Could it be that it's an issue of permissions when executing...
So, i ran both of them - **registry hives command:** vol.py -f memdump_DESKTOP-GBG3PHC.mem windows.registry.hivelist **result:** Offset FileFullPath File output 0xe10c7e80e000 Disabled 0xe10c7e848000 \REGISTRY\MACHINE\SYSTEM Disabled 0xe10c7e8a8000 \REGISTRY\MACHINE\HARDWARE Disabled 0xe10c81366000 \SystemRoot\System32\Config\SOFTWARE Disabled...
C:\Users\bill\Desktop\volatility3>vol.py -f memdump_DESKTOP-GBG3PHC.mem windows.registry.printkey --key PolEKList | findstr /i 0xe10c7e9bc000 - 0xe10c7e9bc000 Key ?\PolEKList - - C:\Users\bill\Desktop\volatility3>vol.py -f memdump_DESKTOP-GBG3PHC.mem windows.registry.printkey --key PolSecretEncryptionKey | findstr /i 0xe10c7e9bc000 - 0xe10c7e9bc000 Key ?\PolSecretEncryptionKey...
So it means the memory capture didn't include that? if so i really need to do a re-acquisition of the memory dump?
By the way, I tried to use a memory dump from a CTF called OtterCTF and the plugin worked successfully - the memory dump was from a windows 7 machine)...
I can provide it, it's pretty big (25 gb). I will try to decompress it? What is your plan? How you would approach it?
Thanks for the prompt response, can you elaborate on how you would extract the raw memory? Would you do it by using a specific tool?
Yes, i did it using the Hibernation recon tool and it extracted the bin file, will send the errors that i am getting when loading it to volatility.
Hey, sorry for the delay - here is the command and the output: **_command:_** vol.py -vvv -f G:\ActiveMemory.bin windows.registry.hivelist **_Output:_** Volatility 3 Framework 2.0.2 INFO volatility3.cli: Volatility plugins path: ['C:\\Users\\bill\\Desktop\\volatility3\\volatility3\\plugins',...
When running the same command on a memory dump(acquired by FTK_imager and not a hiberfil.sys file) you can see that it works good. **command:** vol.py -f F:\memdump_windows1064_connected_To_the_domain.mem windows.registry.hivelist **Output:** Volatility...