Hi James, According to the wiki ( https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage#configuration-files), if you're putting the config file in the same folder it should be named "volatilityrc" (no dot).
You use the dot if it's in the home folder, e.g. "~/.volatilityrc". You could test by passing the file path with "--conf-file". Syntax of the file content looks good though. Adam On 6 May 2016 at 16:41, James Kelly <[email protected]> wrote: > 1. I have a directory with a memory dump called memdum.bin > > 2. I run volatility image info against it and I get > Air:ticket_number jamesk$ vol.py -f memdump.bin imageinfo > Volatility Foundation Volatility Framework 2.5 > INFO : volatility.debug : Determining profile based on KDBG search... > Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, > Win2003SP2x86 (Instantiated with Win2003SP0x86) > AS Layer1 : IA32PagedMemory (Kernel AS) > AS Layer2 : FileAddressSpace > (/Users/jamesk/Desktop/jackcr-challenge/DC-USTXHOU/ticket_number/memdump.bin) > PAE type : No PAE > DTB : 0x39000L > KDBG : 0x805583d0L > Number of Processors : 1 > Image Type (Service Pack) : 0 > KPCR for CPU 0 : 0xffdff000L > KUSER_SHARED_DATA : 0xffdf0000L > Image date and time : 2012-11-27 02:01:57 UTC+0000 > Image local date and time : 2012-11-26 20:01:57 -0600 > > 3. I can run vol.py --profile=Win2003SP0x86 -f memdump.bin pslist and get > process list just fineā¦but... > In that same directory as the memdump.bin file I have a .volatilityrc > file which contains > > [DEFAULT] > PROFILE=Win2003SP2x86 > LOCATION=file://memdump.bin > > When I run vol.py pslist I get: > No suitable address space mapping found > > Is my syntax incorrect somewhere? > > Jk > > > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
