Is anyone working on extending Volatility to work with Vista? I have a hibernation file from a Vista (32-bit) machine and am searching for possible intrusion/hacking. Don't have ram capture.
Howard Patterson
Special Agent
Technical Services Unit
Tennessee Bureau of Investigation
615-744-4376
howard.patterson(a)tn.gov
Bruce,
Change the extension from ".txt" to ".bin" or maybe even try ".dmp" and then run Volatility. It has been a while since I have done it, but I believe you will want to use ".bin".
Regards,
Chris
Chris Currier
CMT Digital Solutions, Inc.
The latest forensics challenge for The Honeynet Project involves
investigating a memory sample of an infected virtual machine. In order to
encourage research and development in the area of memory forensics, The
Order of Volatility plans to augment the prizes awarded to those
submissions in the top three which leverage The Volatility Framework. Even
if you are a Volatility power-user who doesn't find the questions
particularly interesting, we still encourage you to participate. To that
end, we are also planning to recognize the submission that extends the
Volatility Framework in the most unique or creative way (i.e., plugins,
visualizations, etc). Submissions are due by 17:00 EST, Sunday, April
18th 2010.
Shoutz to Josh Smith, a Volatility supporter, for helping to encourage
research in the area of memory forensics!
http://www.honeynet.org/challenges/2010_3_banking_troubles
I did a memory and volatile data acquisition with Helix.
While using the enscript version of volatility I found on the blog, I ran it
against the memorydump and the TCP network connections scan showed a
connection:
192.168.1.104:1142 81.169.145.x:80 3852
The strange thing is, I cant find the process accociated with processid 3852
in the enscript version with pslist.
When I run the volatility program from a linux commandline I cant see any
connection at all (with the options connscan and connscan2) and there is no
process in plist with id 3852.
In the volatile data report of Helix this connection isnt showing either.
Of course I want to know what kind of process this is, can anyone help me?
Thanks a lot,
K Bertens
