March 2014 - Vol-users - volatilityfoundation.org

Are Volatility's Win7 profiles correct for Home Premium 32 bit?

by Andy Bellman

Michael and Jamie, Thanks. I've I found I made a couple of stupid mistakes. The second was sending the below message to the wrong email when I figured out the first late yesterday evening. My apologies, I've figured out that it was 64 bit, and I was completely mistaken about it being 32 bit. I assumed that it was 32 bit, because the the 64 bit profiles took much longer to run, and I'd assumed they were hanging. I think I used a slow computer, and suspect that having everything on usb also slowed things down. I decided I ought to check my work better, and let imageinfo run for the three hours it needed. In hindsight, I think I should have run hibinfo instead, as that seems to have indicated the right profile much faster. I think I can figure the rest out. Thank you, andybellman(a)outlook.com

10 years, 8 months

2
1
0 0

Issue with 'linux_pslist'

by Torres, Geoff (Global Cyber Security)

Hi All, This is an FYI to the maintainers of the Volatility code. I don't need immediate help on this issue but I thought somebody might be interested. I ran into a problem where the 'linux_pslist' command in volatility is hanging on an Ubuntu 13.04 memory dump. All the other 'ps' related commands seem to run just fine. I'm running Volatility 2.3.1 and I can supply any other details you need (including the memory dump). I've attached the debug output (I let it run for over 30 minutes on a 1GB dump). I'm happy to try any suggestions you may have. Thanks for a great product, Geoff ============================== Geoff Torres - HP ==============================

10 years, 8 months

2
1
0 0

Are Volatility's Win7 profiles correct for Home Premium 32 bit?

by Andy Bellman

Members of the list, I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system. It is from a laptop, I'm pretty sure running Home Premium 32 bit. I use an XP system to run the standalone version of Volatility. Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo' I get: ' Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS) AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys) PAE type : PAE DTB : 0x0L KUSER_SHARED_DATA : 0xffdf0000L' Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo' I get: 'Volatility Foundation Volatility Framework 2.3.1 PO_MEMORY_IMAGE: Signature: HIBR SystemTime: 1970-01-01 00:00:00 UTC+0000 Control registers flags CR0: 00000000 CR0[PAGING]: 0 CR3: 00000000 CR4: 00000000 CR4[PSE]: 0 CR4[PAE]: 0 Windows Version is -.- (-)' Other modules seem to hang, or produce no results. I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it. I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website. I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake. Thanks, andybellman(a)outlook.com

10 years, 8 months

3
2
0 0

Recovering OpenVPN credentials

by Philip Huppert

Hi, as part of a university course I've developed a Volatility plugin to extract user credentials cached in an OpenVPN process. Currently the extraction is limited to OpenVPN 2.2.2 on Windows. Still, maybe this is useful to someone else. Code is here: https://github.com/Phaeilo/vol-openvpn Philip

10 years, 8 months

3
3
0 0

RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64

by Smelkovs, Konrads (London)

Hello Aaron and Michael, This is a machine with a very interesting file corruption case which is most likely malware. I used moonsol's DumpIt to acquire the image from a Win7 64bit SP1 machine with 8 gigs of ram. Here's the output of bin2dmp: bin2dmp - 1.0.20100405 - (Professional Edition - Single User Licence) Convert raw memory dump images into Microsoft crash dump files. Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net> Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com> User , () Initializing memory descriptors... Done. Looking for kernel variables... Done. Loading file... Done. Rewritting CONTEXT for Windbg... -> Context->SegCs at physical address 0x0000000006017F78 modified from 00 in o 10 -> Context->SegDs at physical address 0x0000000006017F7A modified from 00 in o 2b -> Context->SegEs at physical address 0x0000000006017F7C modified from 00 in o 2b -> Context->SegFs at physical address 0x0000000006017F7E modified from 00 in [0x000000021E600000 of 0x000000021E600000] MD5 = 2DF9C04AB34D820ACA56B201B1382A880x0000000006017F80 is already equal to 00 Total time for the conversion: 9 minutes 49 seconds.6017F82 modified from 00 in o 18 And here I tried loading the dump file in windbg 64 Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\ xxxx.dmp] Kernel Complete Dump File: Full address space is available Comment: 'Hibernation file converted with MoonSols Memory Toolkit' Symbol search path is: C:\windows\symbols;SRV*C:\windows\symbols*http://msdl.microsoft.com/downloa… Executable search path is: Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. *** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540 *** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540 Debugger can not determine kernel base address Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64 Product: WinNt, suite: TerminalServer SingleUserTS Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533 Machine Name: Kernel base = 0xfffff800`02e1b000 PsLoadedModuleList = 0xfffff800`0305e6d0 Debug session time: Sun Mar 2 21:08:59.275 2014 (UTC + 0:00) System Uptime: 0 days 7:22:16.509 Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. *** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540 *** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540 Debugger can not determine kernel base address Loading Kernel Symbols Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. .Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 Image path too long, possible corrupt data. Loading unloaded module list ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. ..Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. ..Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Missing image name, possible paged-out or corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. .Image path too long, possible corrupt data. . WARNING: .reload failed, module list may be incomplete GetContextState failed, 0xD0000147 CS descriptor lookup failed GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get program counter GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 4D415454, {1, 2, 3, 4} GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 ***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057. Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 Unable to get current machine context, NTSTATUS 0xC0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141 Missing image name, possible paged-out or corrupt data. Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147 WARNING: .reload failed, module list may be incomplete Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE ) Followup: MachineOwner --------- GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 GetContextState failed, 0xD0000147 -----Original Message----- From: AAron Walters [mailto:awalters@4tphi.net] Sent: 02 March 2014 20:50 To: Smelkovs, Konrads (London) Cc: Michael Ligh Subject: RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 Hi Konrads, Nice to meet you. Thank for joining the mailing list. Is the machine you are trying to analyze part of an investigation or a test machine? A physical machine or a virtual machine? Does it have any unusual devices connected to it? If you convert the sample to windbg format using the MoolSols tools, will it load in windows debugger? Thanks, AAron Walters The Volatility Foundation On Sun, 2 Mar 2014, Smelkovs, Konrads (London) wrote: > Hi, > > Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What tools would you suggest to use instead? > > > -----Original Message----- > From: Michael Ligh [mailto:michael.ligh@mnin.org] > Sent: 02 March 2014 16:25 > To: Smelkovs, Konrads (London) > Cc: vol-users(a)volatilityfoundation.org > Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 > > Hi Konrads, > > Thanks for the output. At the moment, its looks like the page table is corrupt (based on the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way outside the size of your file). Whether the acquisition tool or Volatility's address space parser is to blame, I'm not currently sure. Can you answer a few additional questions, please: > > * Does it also hang on Linux also, or does it complete sometime after printing those "None object instantiated: Unable to read_long_long_phys" messages? > * What tool did you acquire memory with? Is it possible to re-acquire in a different format, such as a Windows crash dump? > > Thanks, > Michael > > > This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. > This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. > Any communications made with KPMG may be monitored and a record may be kept of any communication. > Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. > A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. > KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL. > This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. Any communications made with KPMG may be monitored and a record may be kept of any communication. Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.

10 years, 8 months

3
3
0 0

Chasing evil or my tail?

by shorejsi2＠mmm.com

Working on a system that has been beaconing out to bad places and noticed this in the 'pstree' output (abbreviated): Name Pid PPid -------------------------------------------------- ------ ------ 0x894ca030:csrss.exe 580 484 ... 0x8f25b5b0:wininit.exe 632 484 ... . 0x8f379d40:services.exe 692 632 ... .. 0xb12484c0:FireSvc.exe 2064 692 ... .. 0xaecc6d40:svchost.exe 3332 692 ... ... .. 0xb3eeb030:svchost.exe 3780 692 ... .. 0x85e518e8:msdtc.exe 5332 692 ... ... 0x82651d40:explorer.exe 5400 5332 ... .... 0x85dcc3b0:pmcs.exe 1608 5400 ... .... 0x85dc9240:EpePcMonitor.e 6108 5400 ... .... 0x85c92030:BTTray.exe 4744 5400 ... .... 0x8652c928:iexplore.exe 7028 5400 ... ..... 0x86721030:iexplore.exe 7364 7028 ... ...... 0x866f2030:jp2launcher.ex 5356 7364 ... ....... 0x8678c408:java.exe 7700 5356 ... ... Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would normally expect userinit.exe to start explorer and then exit, leaving it with no visible parent. Any input appreciated... -=[ Steve ]=-

10 years, 8 months

2
3
0 0

Volatility never finishes on 8 gig Win7SP1x64

by Smelkovs, Konrads (London)

Hello, C:\ >volatility-2.3.1.standalone.exe -f C:\image.raw kdbgscan --profile=Win7SP1x64 Volatility Foundation Volatility Framework 2.3.1 ..... Never finishes - analysing 8 gig dump, CPU max. Help? This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. Any communications made with KPMG may be monitored and a record may be kept of any communication. Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.

10 years, 8 months

3
5
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users March 2014