volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

Volatility 2.6 hangs on imageinfo command Ubuntu 16.04

Open Gbengat opened this issue 8 years ago • 10 comments

I just installed volatility 2.6 on Ubuntu 16.04 64-Bit, created a profile, and dis a memory dump with lime. On trying to analyze it I am trying to get info on suggested profiles. However when I issue the imageinfo command, it doesn't go beyond the point in the image below, even after sitting for 2 hours. Is this a bug? volatility

Gbengat avatar Apr 30 '17 20:04 Gbengat

The imageinfo plugin is only supposed to be used with Windows memory samples. Therefore it will not be useful to run on a Linux memory sample.

Try using the strings utility on Linux against the memory sample and grep for "BOOT_IMAGE" in order to get an idea of the profile:

$ strings -a Linux64.mem |grep BOOT_IMAGE

gleeda avatar May 11 '17 13:05 gleeda

Dear @gleeda can you please explain me in detail how exactly this command $ strings -a Linux64.mem |grep BOOT_IMAGE

help me to find suggested profile for Linux Memory sample

AnkitKundariya avatar May 12 '17 05:05 AnkitKundariya

I am having the same issue, only I know my image is a windows server 2012 image, which is compatible with volatility because I ran: volatility --info and windows server 2012 is listed as one of the compatible samples. Here is a screenshot of what I am seeing:

image

tommyob avatar Dec 03 '18 00:12 tommyob

I'm having the same issue, Windows 10 Version 10.0.17134.858. Program hangs up on imageinfo. 2019-07-08

gaterunner341 avatar Jul 08 '19 06:07 gaterunner341

@gaterunner341 i too got the same issue after volatility updated to 2.6 the profile option takes the build number of windows 10 so run vol.exe --info | more In the output you can see some windows 10 profiles in your case it looks like Win10x64_17134 so provide --profile=Win10x64_17134 if it doesn't work then try one of the profiles instead of running imageinfo. If the suspect windows machine is available to you then in run type "winver" there you can see windows 10 build number

cvnikhil000 avatar Oct 22 '19 13:10 cvnikhil000

Sadly, I am also having the same issue using the latest SIFT-Workstation...with Rekall no longer being dev'ed and now this not working...I'm running out of options.

jklipsch avatar Nov 01 '20 02:11 jklipsch

@gaterunner341 I would suggest kdbgscan instead of imageinfo. Also, if you know the profile already, what are you looking to gain from imageinfo?

atcuno avatar Nov 02 '20 15:11 atcuno

Sadly, I am also having the same issue using the latest SIFT-Workstation...with Rekall no longer being dev'ed and now this not working...I'm running out of options.

What is the OS version of the sample you are running imageinfo against? And how was the memory acquired?

atcuno avatar Nov 02 '20 15:11 atcuno

I'm having the same issue on any Windows 10 RAM image with size > 10 Gb. imageinfo never completes

nikitso avatar Aug 22 '22 20:08 nikitso

I am having the same issue, I'm using volatility 2.6 standalone for windows , and it is taking too much time when I use imageinfo plugin against a ram dump ( .mem image) of 64GBs . Even for now it has been a whole day and it is sill stuck there.

someone help me please...

pam volatility

muteebarmaghan avatar Dec 11 '22 07:12 muteebarmaghan