volatilityfoundation
Cannot Detect Win10x64_15063 Crash Dump
I have a memory.dmp file thats a little over 6GB in size & when trying to run crashinfo or verinfo, Volatility doesn't recognize the profile or crash dump space
output for crashinfo: ERROR : volatility.debug : Memory Image could not be identified as ['WindowsCrashDumpSpace32', 'WindowsCrashDumpSpace64', 'WindowsCrashDumpSpace64BitMap']
output for verinfo: No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space VMWareMetaAddressSpace: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space QemuCoreDumpElf: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64BitMap: Unsupported dump format VMWareMetaAddressSpace: VMware metadata file is not available WindowsCrashDumpSpace64: Unsupported dump format HPAKAddressSpace: Invalid magic found VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0x45474150 WindowsCrashDumpSpace32: Header signature invalid SkipDuplicatesAMD64PagedMemory: Incompatible profile WinXPSP2x86 selected WindowsAMD64PagedMemory: Incompatible profile WinXPSP2x86 selected LinuxAMD64PagedMemory: Incompatible profile WinXPSP2x86 selected AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected IA32PagedMemoryPae: Failed valid Address Space check IA32PagedMemory: Failed valid Address Space check OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: Profile does not have valid Address Space check
Any recommendations? Because when doing a Strings search of the dump file, I'm seeing relevant evidence that I need but I'm unable to parse the file to retrieve any actual data.
Additionally, when doing a File lookup, this is the output: MEMORY.DMP: MS Windows 64bit crash dump, 4992030524978970960 pages
