[Vol-dev] A few questions

Tim tim-volatility at sentinelchicken.org
Tue May 13 18:43:34 CDT 2008 

Greetings,

This looks to be where the cool kids are hanging out these days, so I
thought I would pop in.  I'm just getting familiar with Volatility, and
I think the project is a great idea.  I plan on following it closely and
hope to contribute code/debugging in the future. 

However, I have run in to a problem.  I'm trying to get familiar with
the tools using the Windows XP images available in:
  http://www.cfreds.nist.gov/mem/memory-images.rar

When I run things like:

  python volatility datetime -f xp-laptop-2005-07-04-1430.img
  python volatility pslist -f xp-laptop-2005-07-04-1430.img


I get the following:

Traceback (most recent call last):
  File "/usr/local/src/Volatility-1.1.1/volatility", line 143, in <module>
    main()
  File "/usr/local/src/Volatility-1.1.1/volatility", line 139, in main
    modules[argv[1]].execute(argv[1], argv[2:])
  File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 54, in execute
    self.cmd_execute(module, args)
  File "/usr/local/src/Volatility-1.1.1/vmodules.py", line 108, in get_datetime
    (addr_space, symtab, types) = load_and_identify_image(op, opts)
  File "/usr/local/src/Volatility-1.1.1/vutils.py", line 152, in load_and_identify_image
    dtb = guess_dtb(filename, op)
  File "/usr/local/src/Volatility-1.1.1/vutils.py", line 69, in guess_dtb
    dtb = find_dtb(flat_address_space, types)
  File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 104, in find_dtb
    return process_dtb(addr_space, types, offset)
  File "/usr/local/src/Volatility-1.1.1/forensics/win32/tasks.py", line 138, in process_dtb
    ['_EPROCESS', 'Pcb', 'DirectoryTableBase', 0], task_vaddr)
  File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 168, in read_obj
    return read_value(addr_space, current_type, vaddr + offset)
  File "/usr/local/src/Volatility-1.1.1/forensics/object.py", line 70, in read_value
    (val, ) = struct.unpack(type_unpack_char, buf)
  File "/usr/lib/python2.5/struct.py", line 87, in unpack
    return o.unpack(s)
struct.error: unpack requires a string argument of length 8


Since I'm running Volatility 1.1.1, I'd guess that this may have already
been fixed in 1.2.* or 1.3.*.  I've read through all of the mailing list
archives and scoured your project site, but I can't seem to find those
newer versions for download.  Perhaps I'm just totally missing
something.  Could someone point me in the right direction to get the
latest version?  SVN or other development repository would be fine, I
don't mind messing with bleeding edge stuff.

The second reason for my post is that I'll be giving an introductory
training course on incident response and digital forensics next month,
and I had considered introducing students to volatility and other memory
analysis tools.  Do you folks have suggestions as to which features of
volatility would be the best to showcase in that type of setting?

thanks,
tim

More information about the Vol-dev mailing list