volatility
volatility copied to clipboard
volatilityfoundation
Support for Windows 10 build 19041
I am using Windows 10 build 19041 I read a couple issue and found that this version of windows is not officially supporter with volatility 2.6.1. I lack the ability to create a profile myself. (I can only do a few commands.) I've tried this script as well https://github.com/volatilityfoundation/volatility3/blob/master/volatility/framework/symbols/windows/pdbconv.py and got the following error:
PS C:\Users\_\Desktop> python2 pdbconv.py
File "pdbconv.py", line 260
context: interfaces.context.ContextInterface,
^
SyntaxError: invalid syntax
Here is the exact error I got when trying to do a memdump.
PS C:\Python27\Lib\site-packages\volatility-2.6.1-py2.7.egg\EGG-INFO\scripts> python2 vol.py --profile=Win10x64 memdump -D dll -f 20200608.mem -p 37036
Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
QemuCoreDumpElf: No base Address Space
VMWareAddressSpace: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
QemuCoreDumpElf: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: No valid DTB found
WindowsAMD64PagedMemory: No valid DTB found
LinuxAMD64PagedMemory: Incompatible profile Win10x64 selected
AMD64PagedMemory: No valid DTB found
IA32PagedMemoryPae: Incompatible profile Win10x64 selected
IA32PagedMemory: Incompatible profile Win10x64 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
I have also tried Volatility 3 but couldn't figure out an equivalent of memdump in Volatility 3.
Hello,
Volatility does support that version. Try using --profile=Win10x64_18362 and see if you get better results. Also, how was memory acquired?
@atcuno I use Belkasoft Live RAM Capturer.
PS C:\Python27\Lib\site-packages\volatility-2.6.1-py2.7.egg\EGG-INFO\scripts> python2 vol.py --profile=Win10x64_18362 memdump -D dll -f 20200608.mem -p 37036
Volatility Foundation Volatility Framework 2.6.1
ERROR : volatility.debug : Invalid profile Win10x64_18362 selected
Are you on the latest github checkout? That profile has been included for quite a while now.
@atcuno yes 2.6.1 I just clone the github page again. It says is incompatible
PS C:\Python27\Lib\site-packages\volatility-2.6.1-py2.7.egg\EGG-INFO\scripts> python2 vol.py --profile=Win10x64_18362 memdump -D dll -f 20200614.mem -p 28948
Volatility Foundation Volatility Framework 2.6.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
VMWareMetaAddressSpace: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
SkipDuplicatesAMD64PagedMemory: No base Address Space
WindowsAMD64PagedMemory: No base Address Space
LinuxAMD64PagedMemory: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
SkipDuplicatesAMD64PagedMemory: No valid DTB found
WindowsAMD64PagedMemory: No valid DTB found
LinuxAMD64PagedMemory: Incompatible profile Win10x64_18362 selected
AMD64PagedMemory: No valid DTB found
IA32PagedMemoryPae: Incompatible profile Win10x64_18362 selected
IA32PagedMemory: Incompatible profile Win10x64_18362 selected
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
I am having the exact same issue. Tried the alternate profile with no success still. Even tried it with different RAM Capture Tools (DumpIT, Belkasoft, Magnet RAM Capture, FTK Imager) and still same issue persists with all plugins I try.
Also attempted them in Volatility 3 and it recognises the Windows version but cannot run the plugins successfully still.
In my somewhat limited experience, Volatility struggles with Win 10 Profiles. I have had very little success in parsing them. sadface
