volatilityfoundation
KeyError: 'Key PolEKList not found under Policy' while using the lsadump plugin
Hey I'm a computer science student and a newbie to Volatility, who is interested in memory forensics. While I was trying around analyzing a windows memory image the following error occured.
Describe the bug 1.) Created a Memory Capture with FTK Imager 4.2.1.4 of a System with Windows 10 Home (Version 10.0.19041 Build 19041; x64) installed 2.) Used volatility: python3 volatility3-1.0.1/vol.py -vvvv -f memdump.mem windows.lsadump.Lsadump 3.) Error (see below)
Context Volatility Version: Volatility 3 Framework 1.0.1 Operating System: Windows 10 Home (Version 10.0.19041 Build 19041; x64) Python Version: 3.8.5 Suspected Operating System: Windows 10 Home (Version 10.0.19041 Build 19041; x64) Command: python3 volatility3-1.0.1/vol.py -vvvv -f memdump.mem windows.lsadump.Lsadump
Error Message
INFO root : Volatility plugins path: ['/mnt/d/ForensikTools/volatility3-1.0.1/volatility3/plugins', '/mnt/d/ForensikTools/volatility3-1.0.1/volatility3/framework/plugins']
INFO root : Volatility symbols path: ['/mnt/d/ForensikTools/volatility3-1.0.1/volatility3/symbols', '/mnt/d/ForensikTools/volatility3-1.0.1/volatility3/framework/symbols']
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsadump.primary
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsadump
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsadump
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Lsadump.primary.memory_layer
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Lsadump
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: WintelHelper
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Lsadump.nt_symbols
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/992A9A48F30EC2C58B01A5934DCE2D9C-1
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf8071d600000
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_JOB_ACCESS_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_JOB_CPU_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NET_RATE_CONTROL
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NOTIFICATION_INFORMATION
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_PSP_STORAGE
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_KTMNOTIFICATION_PACKET
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_EXP_LICENSE_STATE
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_DBGKP_ERROR_PORT
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_CI_NGEN_PATHS
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_EX_WNF_SUBSCRIPTION
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_EPROCESS_QUOTA_BLOCK
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_PAGEFAULT_HISTORY
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_EX_TIMER
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_ETW_SOFT_RESTART_CONTEXT
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_ETW_STACK_CACHE
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_ACTIVATION_CONTEXT_DATA
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_ASSEMBLY_STORAGE_MAP
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_ETW_PERFECT_HASH_FUNCTION
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_HAL_PMC_COUNTERS
DEBUG volatility3.framework.symbols: Unresolved reference: nt_symbols1!_SCSI_REQUEST_BLOCK
DEBUG volatility3.framework.symbols.windows.extensions.registry: Unexpected node type encountered when traversing subkeys: nt_symbols1!_CM_KEY_INDEX, signature: n
Traceback (most recent call last):
File "volatility3-1.0.1/vol.py", line 10, in
