Question - Does Volatility Support DumpIt compressed zdmp?

[createchange]

Hi folks, sorry for the non-bug/feature request issue.

I am implementing some basic flows to permit us to acquire memory dumps for incident response, and landed on DumpIt (mostly via discovery of the KAPE integration). After experimentation, I noticed that you could output a compressed dump, which is a "zdmp" filetype. Seek as I as, I haven't found much documentation on this filetype around the internet, with the one piece I found referencing (the now defunct) Comae enterprise tooling for reading these files.

Is this a proprietary file type? Is it able to read used by volatility? If not, is the uncompressed DumpIt output able to be consumed? I received the following output, which clued me in that it may not be compatible:

python3 vol.py -f C:\SecurityTools\DumpIt\dumps\memdump-2024-10-29-11-52-06.zdmp windows.info
Volatility 3 Framework 2.11.0
Progress:  100.00               PDB scanning finished
Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A translation layer requirement was not fulfilled.  Please verify that:
        A file was provided to create this layer (by -f, --single-location or by config)
        The file exists and is readable
        The file is a valid memory image and was acquired cleanly

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']

Not looking for alternatives - I see an excerpt in the docs about possible tools - just looking to see if I should jump from DumpIt due to incompatibility, so that I don't end up with dumps that require me to sign-on with a vendor to make use of them. I'd, of course, rather not back myself into a corner.

Thanks for whatever guidance can be provided.

[eve-mem]

Hello 👋

A few things that might help.

Are you able to share a sample?

If you run the linux command file on it, what does it say?

Are you able to share the first few bytes of the file? Maybe 32 bytes?

Zdmp makes me think it might just be a compressed raw file.

Thanks!

(Edit: uncompressed raw files are definitely supported!)

[createchange]

Hi there!

I can share a sample as needed. Would a dump from a VM with <1GB of RAM suffice? Easier on the network transfer, and less concern about security implications.

$ file memdump-2024-10-29-11-52-06.zdmp
memdump-2024-10-29-11-52-06.zdmp: data

I believe this is what you were looking for?

$ xxd -c32 memdump-2024-10-29-11-52-06.zdmp | head -n1
00000000: 5a44 4d50 0001 0000 0070 3ff0 0300 0000 0000 2000 0100 0200 0000 0000 0000 0000  ZDMP.....p?....... .............

I don't see any documentation for those magic bytes, so maybe a proprietary format? I placed a call to Magnet support, but don't anticipate I will get a return call as a non-paying customer.

Please let me know if there is anything else I can provide!

[ikelos]

Looks like there is a conversion tool (written in rust) to convert it to a raw format.
https://github.com/MagnetForensics/z2dmp-rust

Looks like we theoretically could support it. Just need to interpret the code...

[eve-mem]

@createchange thanks for that info!

It does look like a custom format. As @ikelos says it could probably be supported but that'll take a while for someone to do.

If you can share a sample or two that'll help.

I know there is lots of work going on to bring vol3 up to parity with vol2 so i personally think it'll be quite a while before someone has time to look at this one in depth.

[createchange]

Good find on that repository! I cloned and built the tool, but unfortunately volatility3 failed to execute on the decompressed output.

# WSL
└─$ file output.dmp
output.dmp: MS Windows 64bit crash dump, full dump, 4129781 pages

# Powershell
❯ python3 vol.py -f C:\SecurityTools\DumpIt\dumps\output.dmp windows.info
Volatility 3 Framework 2.4.1
WARNING  volatility3.framework.plugins: Automagic exception occurred: FileNotFoundError: [Errno 2] No such file or directory: 'C:\\Users\\jweaver\\AppData\\Local\\Packages\\PythonSoftwareFoundation.Python.3.10_qbz5n2kfra8p0\\LocalCache\\Roaming\\volatility3\\data_a50d5da012754717f911e13040203999f1d1b82ee87180475a48f8edc001c4caee1aa634ec6d10b793d2aed84e6b68cf8715db6093b7ea084393c1a15e7cb489.cache'

Unsatisfied requirement plugins.Info.kernel.symbol_table_name:

A symbol table requirement was not fulfilled.  Please verify that:
        The associated translation layer requirement was fulfilled
        You have the correct symbol file for the requirement
        The symbol file is under the correct directory or zip file
        The symbol file is named appropriately or contains the correct banner

Unable to validate the plugin requirements: ['plugins.Info.kernel.symbol_table_name']

Here is a relatively small zdmp file for testing: https://mega.nz/file/DRshgY6T#t3-LOBUR1ZbCvn0MzvLJrhMTvM5xael3hC52QKXy1Bc

[eve-mem]

Try clearing your cache and trying that again. It looks like it tried to use symbols that weren't there. Vol should automatically download and convert the bits it needs.

--clear-cache is the option you'd need.