Announcement

Collapse
No announcement yet.

Error code on Volatility Workbench 3

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Error code on Volatility Workbench 3

    Hi, I have been trying to run a RAM image on volatility workbench 3. image is from dumpit, the most recent release.

    I keep getting this message. Rather noob at these things, so I am hoping someone can walk me through what I am missing here. All folders are intact. I tried system restarts and I tried making multiple images to try. Each halts at about 20-40% with this error message. Click image for larger version

Name:	image.png
Views:	799
Size:	8.5 KB
ID:	54731

    Error log from clipboard is as such:


    Time Stamp: Wed Mar 29 18:55:34 2023

    "C:\Users\...\VolatilityWorkbench\vol. exe" -f "C:\Users\...\Comae-Toolkit-v20230117\x64\DESKTOP-5JELVLH-20230330-010828.dmp" windows.pslist.PsList
    Volatility 3 Framework 2.0.1
    WARNING volatility3.framework.plugins: Automagic exception occurred: EOFError: Compressed file ended before the end-of-stream marker was reached
    Unable to validate the plugin requirements: ['plugins.PsList.kernel']
    Unsatisfied requirement plugins.PsList.kernel: Windows kernel

    Time Stamp: Wed Mar 29 18:55:42 2023


    ******* End of command output ******

    any input would be appreciated. I would totally search the forum for a solution if there was a search function. thanks!

  • #2
    For forum search function, there are 3 options. See this post for details
    https://forums.passmark.com/general/...6181#post46181

    We only do the Windows user interface for Volatility.
    For cases where the Volatility command line tool fails you'll need to get support from the Volatility project. Or of the problem is just with DumpIT, then ask for assistance from that project. We don't use DumpIT and a quick search shows multiple versions of this tool from multiple different vendors. So that's confusing.

    But this error
    "EOFError: Compressed file ended"
    Makes me think the issue is something to do with compression.

    Our OSForensics tool can also do memory dumps. So maybe compare the behaviour with that.

    Comment


    • #3
      Thank you. Yes, I was using windows and not via a command prompt. It always hangs when working with the symbol file.
      I will try something instead of dumpit and look into your OSForesenics tool. thanks.

      Comment


      • #4
        Same wrong platform error when performing scan with memory dump from AccessData FTK Imager. kinda peculiar.

        Comment


        • #5
          Can you try Volatility direct from the command line on the same images?

          Comment


          • #6
            Originally posted by David (PassMark) View Post
            Can you try Volatility direct from the command line on the same images?
            Thanks David. I am going to give that a try today! Main reason I am running this is because of weird issues like this that I am having on this PC. I might also transport the image to an alternate PC to scan it.

            Comment

            Working...
            X