Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error while scanning raw imagefile #1246

Open
MaxFuwin opened this issue Aug 28, 2024 · 15 comments
Open

Error while scanning raw imagefile #1246

MaxFuwin opened this issue Aug 28, 2024 · 15 comments

Comments

@MaxFuwin
Copy link

Hi I am currently running a image file
I used the code: python3 -f mem.raw windows.info
And it shows these error codes:

Unsatisfied requirement plugins.Hashdump.kernel.symbol_table_name:

A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Hashdump.kernel.symbol_table_name']
Did I missed installing any essential API for this tool?
MaxFuwin

@Abyss-W4tcher
Copy link
Contributor

Hi, could you provide us with a -vvvvvvvvv debug run, to see if any info comes out here ?

@MaxFuwin
Copy link
Author

is it looks like this?
Python3 vol.py -f memory_dump.raw windows.info -v?

@Abyss-W4tcher
Copy link
Contributor

more like : Python3 vol.py -f memory_dump.raw -vvvvvvvvvv windows.info

@MaxFuwin
Copy link
Author

24317a9964c8d862562ea887f9801816
now it looks like these:
ad1cf07e32776c9655bdde5fe181f225
629b65cb6b93da74c9cb6b11f03e43d4
24317a9964c8d862562ea887f9801816
167e1b1ff79ecac038bf7d4ee7d7d1fb
51a64717f0c6eb119221e5f88bb44f1a
0ad0a6cba5548b31ac1a174a68d1bcb9

@Abyss-W4tcher
Copy link
Contributor

Alright, could you try running :

python3 vol.py -f memory_dump.raw -vvvvvvvvvv --clear-cache windows.info 

It seems there is a problem with the cache directory.

@MaxFuwin
Copy link
Author

image

@Abyss-W4tcher
Copy link
Contributor

Instead of taking screenshots, could you provide the entire output as a text please ?

@MaxFuwin
Copy link
Author

volatility3error.txt
I'm sorry that might take some of your time, the error is quite long

@Abyss-W4tcher
Copy link
Contributor

This issue is quite similar to #1226, please check it out and tell us if it fixes it for you too.

@MaxFuwin
Copy link
Author

emmm,it seems like volatility 3.0 is not supporting Win11 memory dumps, when I tested Win10 memory dump i got the result, by the way thanks for spending time help me to solve this issue.

@Abyss-W4tcher
Copy link
Contributor

Have you tried changing the cache path to a writable directory ?

For now, it seems he error relates only to a permission problem.

@MaxFuwin
Copy link
Author

According to my several tests, I tried to scan the memory image from Windows 7, 10 and 11 some of the image have successfully scanned
This is one of a success example for windows 10:
image
but some of the image didn't, Is volatility 3 doesn't support some of the version?

@Abyss-W4tcher
Copy link
Contributor

Yes, Volatility3 supports Windows11.

Would you be able to provide a run with :

python3 vol.py -f memory_dump.raw -vvvvvvvvvv --cache-path C:\Users\username\Downloads\test_volatility3_cache\ windows.info

You will need to create the directory C:\Users\username\Downloads\test_volatility3_cache\ beforehand, while replacing username with your Windows username.

This would help to determine if the cache permission is faulty or if it is indeed a support problem.

@MaxFuwin
Copy link
Author

MaxFuwin commented Sep 1, 2024

According to my tests

Windows system versions supported by volatility3:
Volatility 3 Framework 2.7.1

Python3 volatility3/vol.py-f xx.raw windows.info # test command.

Support for windows7 Professional Edition (7600)
Support for windows10 Professional Edition 1607 (14393.447)

Windows7 sp1 Ultimate Edition is not supported (7601)
Windows10 Professional Edition 1809 (17763.437) is not supported
Windows11 Professional 23H2 (22631.4037) is not supported
Windows11 Professional 24H2 (26100.1591) is not supported

@ikelos
Copy link
Member

ikelos commented Sep 3, 2024

Hiya, did you ever try @Abyss-W4tcher 's test?

It would be running the following against one of the images that wasn't working:

mkdir D:\volatility3\cache
python3 volatility3/vol.py -vvvvvvv -f E:\xx.raw --cache-path D:\volatility3\cache windows.info

If will create a lot of output, but it should tell us whether it's just a file permission issue (which it looks like) or something else...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants