Hello Everyone,
When attempting to analyze a large raw memory dump with Volatility 2.6.1 on Windows 10 (build 19045), Volatility failed to map the address space and could not load the image. Even after selecting the generic Win10x64 profile, running:
vol.exe -f test.raw --profile=Win10x64 pslist
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
Win10AMD64PagedMemory: No base Address Space
FileAddressSpace: Must be first Address Space
We need to dump the lsass.exe process from this memory image. Does anyone have alternative tools or methods they’d recommend for extracting a process dump directly from a raw RAM file when Volatility is unable to construct its address space?
Thanks
When attempting to analyze a large raw memory dump with Volatility 2.6.1 on Windows 10 (build 19045), Volatility failed to map the address space and could not load the image. Even after selecting the generic Win10x64 profile, running:
vol.exe -f test.raw --profile=Win10x64 pslist
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
Win10AMD64PagedMemory: No base Address Space
FileAddressSpace: Must be first Address Space
We need to dump the lsass.exe process from this memory image. Does anyone have alternative tools or methods they’d recommend for extracting a process dump directly from a raw RAM file when Volatility is unable to construct its address space?
Thanks