I ran this program on a Windows 11 24H2, and the windows.strings.Strings stated "ERROR volatility3.plugins.windows.strings: line in unrecognized format: line 1". Underneath this output was a line that stated "Progress: ", and the value had flickered between 0.00 -0.01. Good news is that the message to the right of the status had changed frequently.

cmd.exe ran with administrative privileges when this error message was displayed, the computer had restarted, and other plugins worked fine.

As a sanity check here is the command syntax used:

python vol.py -f <mem-image-name> windows.strings.Strings --strings-file Text.txt

Text.txt contained 1 eight-letter word, but when the file was saved as a text document, Word (the Microsoft Office Home 2024 version), presented a pop-up called "File Conversion". The message read "Warning: Saving as a text file will cause all formatted, pictures common and objects in your file to be lost. Text encoding:", and a radio button for "Western European (Windows)" was saved as the default text encoding option. Should the file be saved in a different format like Unicode?

I had visited the following links to look at this issue:

https://volatility3.readthedocs.io/en/latest/_modules/volatility3/plugins/windows/strings.html

https://volatility3.readthedocs.io/en/latest/_modules/volatility3/plugins/windows/strings.html

My key take away from this page was that the tool uses a regular expression to parse out the data from the strings file. I had read pages 515\516 in The Art of Memory Forensics, and I was unable to locate information related to the format of the input file. If anyone has any successful experience with running this plugin with Volatility 3 I would appreciate the feedback. Otherwise, I'll check to see if the YARA functionality offers a similar output of attributing a string to a process\file.