Good morning, everybody,
I can’t process the data parsing and then extract the data from a RAM DUMP. I have made several attempts using both FTK Imager and Ram Capture from Belkasoft and anyway the tests performed refer to files with .mem or .raw extension while the Autopsy version is 4.13.0! Thank you for the time you will dedicate to solve the problem.
Hello. Can you provide more information as to what is failing. It’s unclear as to whether this is an issue with your memory capture tool or Autopsy. In Autopsy did you load your RAM dump via “Add Data Source” -> “Memory Image File”? See: http://sleuthkit.org/autopsy/docs/user-docs/4.13.0/volatility_dsp_page.html
Derrick
Thank you Derrick for the kind answer… my problem is not with the RAM DUMP acquisition tools but with Autopsy because it doesn’t extract any data from the processed file or DUMP RAM! I have no errors returned but I think there are some settings to correct. I would like to be able to work only with this evidence without connecting any other element like the hard disk of the PC object of my analysis. The same DUMP analyzed with Belkasoft extracts everything and I would like to get at least one result also with Autopsy. Do you have suggestions on the solution? Good work.
PS: I add the DUMP from “Add Data Source” > "Memory Image File.
I found the solution… that is I pointed Volatility’s .exe to the path “C:\Program Files\Autopsy-4.14.0\autopsy\Volatility\volatility-2.5.standalone.exe” and Autopsy will start working :-D.
Good job everyone!
Hi Giak20,
I am also having an issue to adding memory image file as data source.
I am not able to get memory image file add option in data source.
Please help.
You need to enable the experimental module.
http://sleuthkit.org/autopsy/docs/user-docs/4.15.0/experimental_page.html
It worked for me,
Thanks a lot. “Apriestman”