Re: [Vol-dev] probably a really dump question RE: the new dumpfiles plugin
Jamie Levy
11 Oct
2013
11 Oct
'13
12:52 p.m.
Hi John,
So you have:
file.<number>.<hex number>.< dat |img |vacb>
<number> == PID
<hex number> == Offset of SharedCacheMap or _CONTROL_AREA
< dat |img |vacb> == DataSectionObject, ImageSectionObject or SharedCacheMap
If you want more detailed information about the files that are dumped,
make sure to the --summary-file option.
We'll write up documentation soon.
All the best,
-Jamie
On Fri, Oct 11, 2013 at 11:41 AM, McCash John-GKJN37
<john.mccash(a)motorolasolutions.com> wrote:
Hi,
I’d been looking forward to the new dumpfiles plugin for a
while, so I immediately downloaded it and tried it out as soon as possible
after I saw it had finally been committed to the source tree the other day.
(I’m freely admitting I’m using the thing without any documentation, since
that still hasn’t been committed, and probably have no idea what I’m really
doing.) Now, I have a dumb question. The names of the dumped files are all
of the format:
file.<number>.<hex number>.< dat |img |vacb>
In addition, the dumping process produces a bunch of output, of the form:
<DataSectionObject|ImageSectionObject|SharedCacheMap> <hex number>
<number> <file path>
with no column header or other indication of what exactly these values refer
to. (If I had to guess, maybe the hex value is the data offset within the
image?)
Looking at this format (without knowing for sure exactly
what the numbers are referring to) would lead me to expect that the <number>
and <hex number> fields from the output should correspond to the ones in the
dumped filenames, and thus the file paths should have some correspondence to
the dumped file data, if the values match up. Not necessarily being the
contents of exact file to which the path corresponds, but being related in
some way.
But I’m not seeing the same hex value show up anywhere in
the output and in ANY filename…
Trying for a specific correspondence, I went looking through the dumped
files, and was able to positively identify the Software registry hive. The
associated filename was file.4.0x8697a2b8.vacb. Looking through the output
for entries associated with this file identified the following two entries:
DataSectionObject 0x89291f90 4
\Device\HarddiskVolume1\WINDOWS\system32\config\software
SharedCacheMap 0x89291f90 4
\Device\HarddiskVolume1\WINDOWS\system32\config\software
I’m probably just completely misinterpreting the output, but could somebody
throw me a bone?
Thanks much
John
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92