No announcement yet.

Volatility Workbench with Windows 10 x64 18363

  • Filter
  • Time
  • Show
Clear All
new posts

  • Volatility Workbench with Windows 10 x64 18363

    I'm trying to analyze a Windows 10 x64 18363 memory image with Volatility Workbench. But it always failed with message "Failed obtain process list. This could be due to selecting wrong platform". Please help. Thanks in advance.

  • #2
    What version of Volatility Workbench are you using?


    • #3
      Getting similar error, please help

      "D:\xxxxx\xxxx\VolatilityWorkbench\vol.exe" -f "C:\xxxxxxt\061820-10312-01.dmp" windows.pslist.PsList
      Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.nt_symbols']
      Volatility 3 Framework 1.0.0-beta.1
      Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
      Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
      A symbol table requirement was not fulfilled. Please verify that:
      You have the correct symbol file for the requirement
      The symbol file is under the correct directory or zip file
      The symbol file is named appropriately or contains the correct banner

      A translation layer requirement was not fulfilled. Please verify that:
      A file was provided to create this layer (by -f, --single-location or by config)
      The file exists and is readable
      The necessary symbols are present and identified by volatility


      • #4
        Volatility needs OS symbol file (in some special JSON format that I think the Volatility people created) in order to interpret a memory dump file. It first searches locally to find the symbol file. If the symbol table cannot be found, then the PDB file will be downloaded from Microsoft’s Symbol Server and converted into the appropriate JSON format.

        Background on PDB files

        Some possibilities:
        - It could be an acquisition issue. i.e. the image is corrupted therefore volatility can't find the version of Windows
        - Volatility is running behind the current windows release and can't work out the correct set of symbols that it needs
        - Maybe you are doing this on a machine that is not connected to the internet?

        Can you copy the command from Volatility Workbench log window and run it in command line with -vvv (verbose) option which provides more details.

        For example: vol.exe -vvv -f TestPC.mem windows.pslist.PsList

        Or can you supply a copy of the memory image, then we can give a better more precise answer, rather than just guesses.


        • #5
          Hi! I am in Master's school at Champlain College for DF, and we have a homework assignment where we are needing to conduct a live capture in FTK, and then load the file into Volatility Workbench. I am having trouble viewing anything that was done like command line changes, and web browser activity. I have done 4 captures and all have the same results in Workbench. I am including the text output of the Volatility Workbench tool, as maybe that will help? I am using the current version of Workbench. Any help would be greatly appreciated.
          Attached Files


          • #6
            From the log it seems like Volatility was launched correctly and produced some output.

            The version of Volatility is slightly old, "Volatility 3 Framework 1.1.0-beta.1", and it due for an update, but I don't know if the newer patch release will do any better.

            Maybe get the latest command line version of Volatility and compare the output for the same memory dump.


            • #7
              Where would I get the newer patch release for Volatility? I presume I just point command line to the Volatility tool that came with the Zip download of Workbench correct?

              I am going to try it on the same memory dump.

              I appreciate your help David!


              • #8
                Should be here, on their official site.
                Not sure why they don't have the V3 releases there however. Page hasn't been updated for 5 years?!?

                So you might need to get source from GitHub instead. Not sure why they make is this hard (but on the other hand no one is being paid to develop and maintain it, so you get what you pay for).