No announcement yet.

Volatility Workbench with Windows 10 x64 18363

  • Filter
  • Time
  • Show
Clear All
new posts

  • Volatility Workbench with Windows 10 x64 18363

    I'm trying to analyze a Windows 10 x64 18363 memory image with Volatility Workbench. But it always failed with message "Failed obtain process list. This could be due to selecting wrong platform". Please help. Thanks in advance.

  • #2
    What version of Volatility Workbench are you using?


    • #3
      Getting similar error, please help

      "D:\xxxxx\xxxx\VolatilityWorkbench\vol.exe" -f "C:\xxxxxxt\061820-10312-01.dmp" windows.pslist.PsList
      Unable to validate the plugin requirements: ['plugins.PsList.primary', 'plugins.PsList.nt_symbols']
      Volatility 3 Framework 1.0.0-beta.1
      Unsatisfied requirement plugins.PsList.primary: Memory layer for the kernel
      Unsatisfied requirement plugins.PsList.nt_symbols: Windows kernel symbols
      A symbol table requirement was not fulfilled. Please verify that:
      You have the correct symbol file for the requirement
      The symbol file is under the correct directory or zip file
      The symbol file is named appropriately or contains the correct banner

      A translation layer requirement was not fulfilled. Please verify that:
      A file was provided to create this layer (by -f, --single-location or by config)
      The file exists and is readable
      The necessary symbols are present and identified by volatility


      • #4
        Volatility needs OS symbol file (in some special JSON format that I think the Volatility people created) in order to interpret a memory dump file. It first searches locally to find the symbol file. If the symbol table cannot be found, then the PDB file will be downloaded from Microsoft’s Symbol Server and converted into the appropriate JSON format.

        Background on PDB files

        Some possibilities:
        - It could be an acquisition issue. i.e. the image is corrupted therefore volatility can't find the version of Windows
        - Volatility is running behind the current windows release and can't work out the correct set of symbols that it needs
        - Maybe you are doing this on a machine that is not connected to the internet?

        Can you copy the command from Volatility Workbench log window and run it in command line with -vvv (verbose) option which provides more details.

        For example: vol.exe -vvv -f TestPC.mem windows.pslist.PsList

        Or can you supply a copy of the memory image, then we can give a better more precise answer, rather than just guesses.