Eve

I would start by just using the memdump, and then assuming that works you can add the page file later as needed. You'll know you need it if you get...

To use a page file along with a memory dump you can pass them to vol with the `--single-swap-locations` parameter on the command line. If there is more than one...

Try changing your command line to `python vol.py -vvvvvvv -f "memdump.mem" --single-swap-locations "pagefile.sys" windows.info` If the data you've seen isn't from an active process (or one that's finished but still...

Re your question about offsets. Likely the easiest way is using volshell. In volshell you can use the translate function on a layer and it will show you the address...

Just a thought: If it's a mft record that is in memory that you're looking at, the offsets in the mft record would be referring to the hard drive rather...

Hello, I don't think there is a way to download all the ISF files from https://isf-server.techanarchy.net/ at once. However really most of them will be useless to you. You require...

Re this sample in particular: The banners plugin should show you the version of Linux you're looknig for. Here is an example, you can see its a 3.2 linux kernel....

I think you should be able to use the file directly from the virtual box export without having to extract out the raw parts manually. Try that and see if...

Hello @infinitebugs32 - did you manage to get your virtual box memory dump working?

Hello all, I remember looking into this a while ago while trying to make a generic strings plugin and a linux version. I haven't quite finished, but I did come...