Hello guys,
I'm trying to use Volatility through Firewire, but actually it's not
working.
My investigator PC runs Ubuntu Linux Ubuntu 12.04
I'm using the New (JuJu) Firewire stack compiled into kernel and I also
installed forensic1394.
My Firewire Bus is up and connected to a Firewire Bus on a target win7
system (4GB memory),
I can successfully dump the memory with another tool called 'inception'.
However, output only says:
vol# python vol.py -l firewire://forensic1394/0 --profile=Win7SP1x64 modules
Volatility Foundation Volatility Framework 2.3.1
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
FileAddressSpace: Location is not of file scheme
ArmAddressSpace: No base Address Space
What I am doing wrong?
Thank you!
--
Sebastian
Hello Jamie,
Apologies for delayed response. Had a short break with family.
I tried using dumpfiles plugins as per your adviced. it turned out working against winxp, but seems not against win7sp1x86. is this a known limitation?
Thanks again mate.
Regards,
Roger
On Feb 18, 2014, at 5:00 AM, vol-users-request(a)volatilityfoundation.org wrote:
> Send Vol-users mailing list submissions to
> vol-users(a)volatilityfoundation.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> or, via email, send a message with subject or body 'help' to
> vol-users-request(a)volatilityfoundation.org
>
> You can reach the person managing the list at
> vol-users-owner(a)volatilityfoundation.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Vol-users digest..."
>
>
> Today's Topics:
>
> 1. dumping registry hive(s) from memory image (Roger)
> 2. Re: dumping registry hive(s) from memory image (Jamie Levy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 17 Feb 2014 16:53:01 +1100
> From: Roger <roger.franklin67(a)gmail.com>
> Subject: [Vol-users] dumping registry hive(s) from memory image
> To: "vol-users(a)volatilityfoundation.org" <vol-users(a)volatilityfoundation.org>
> Message-ID: <98444CAC-D5F0-473B-88EB-75CC983F2869(a)gmail.com>
> Content-Type: text/plain; charset=us-ascii
>
> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
>
> Has any one found a way of doing it?
>
> Thank you very much in advance.
>
> Kind regards,
> Roger
>
> ------------------------------
>
> Message: 2
> Date: Mon, 17 Feb 2014 10:22:32 -0500
> From: Jamie Levy <jamie.levy(a)gmail.com>
> Subject: Re: [Vol-users] dumping registry hive(s) from memory image
> To: vol-users(a)volatilityfoundation.org
> Message-ID: <53022938.4040302(a)gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Hi Roger,
>
> Try using the dumpfiles plugin:
>
> http://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
>
> You can use an example similar to the event logs one in order to dump
> the registry file. Let me know if you need help.
>
> All the best,
>
> -Jamie
>
>
>
> On 2/17/2014 12:53 AM, Roger wrote:
>> I've been trying to get/dump a copy of a certain registry hive from the memory. Managed to list down their offsets using hivelist plugin but unable to find ways of dumping them to files. My intention is to load it to other tools such as regripper as input/target registry files.
>>
>> Has any one found a way of doing it?
>>
>> Thank you very much in advance.
>>
>> Kind regards,
>> Roger_______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
> --
> Jamie Levy (@gleeda)
> Blog: http://volatility-labs.blogspot.com/
> GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
> Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>
>
> ------------------------------
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
> End of Vol-users Digest, Vol 68, Issue 6
> ****************************************
Michael and Jamie,
Thanks. I've I found I made a couple of stupid mistakes. The second was sending the below message to the wrong email when I figured out the first late yesterday evening.
My apologies, I've figured out that it was 64 bit, and I was completely mistaken about it being 32 bit.
I assumed that it was 32 bit, because the the 64 bit profiles took much longer to run, and I'd assumed they were hanging. I think I used a slow computer, and suspect that having everything on usb also slowed things down.
I decided I ought to check my work better, and let imageinfo run for the three hours it needed. In hindsight, I think I should have run hibinfo instead, as that seems to have indicated the right profile much faster.
I think I can figure the rest out.
Thank you,
andybellman(a)outlook.com
Hi All,
This is an FYI to the maintainers of the Volatility code. I don't need immediate help on this issue but I thought somebody might be interested.
I ran into a problem where the 'linux_pslist' command in volatility is hanging on an Ubuntu 13.04 memory dump. All the other 'ps' related commands seem to run just fine.
I'm running Volatility 2.3.1 and I can supply any other details you need (including the memory dump). I've attached the debug output (I let it run for over 30 minutes on a 1GB dump).
I'm happy to try any suggestions you may have.
Thanks for a great product,
Geoff
==============================
Geoff Torres - HP
==============================
Members of the list,
I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system. It is from a laptop, I'm pretty sure running Home Premium 32 bit.
I use an XP system to run the standalone version of Volatility. Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo' I get:
' Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys)
PAE type : PAE
DTB : 0x0L
KUSER_SHARED_DATA : 0xffdf0000L'
Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo' I get:
'Volatility Foundation Volatility Framework 2.3.1
PO_MEMORY_IMAGE:
Signature: HIBR
SystemTime: 1970-01-01 00:00:00 UTC+0000
Control registers flags
CR0: 00000000
CR0[PAGING]: 0
CR3: 00000000
CR4: 00000000
CR4[PSE]: 0
CR4[PAE]: 0
Windows Version is -.- (-)'
Other modules seem to hang, or produce no results.
I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it.
I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website.
I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake.
Thanks,
andybellman(a)outlook.com
Hi,
as part of a university course I've developed a Volatility plugin to
extract user credentials cached in an OpenVPN process. Currently the
extraction is limited to OpenVPN 2.2.2 on Windows. Still, maybe this is
useful to someone else.
Code is here: https://github.com/Phaeilo/vol-openvpn
Philip
Hello Aaron and Michael,
This is a machine with a very interesting file corruption case which is most likely malware. I used moonsol's DumpIt to acquire the image from a Win7 64bit SP1 machine with 8 gigs of ram. Here's the output of bin2dmp:
bin2dmp - 1.0.20100405 - (Professional Edition - Single User Licence)
Convert raw memory dump images into Microsoft crash dump files.
Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>
User , ()
Initializing memory descriptors... Done.
Looking for kernel variables... Done.
Loading file... Done.
Rewritting CONTEXT for Windbg...
-> Context->SegCs at physical address 0x0000000006017F78 modified from 00 in
o 10
-> Context->SegDs at physical address 0x0000000006017F7A modified from 00 in
o 2b
-> Context->SegEs at physical address 0x0000000006017F7C modified from 00 in
o 2b
-> Context->SegFs at physical address 0x0000000006017F7E modified from 00 in
[0x000000021E600000 of 0x000000021E600000]
MD5 = 2DF9C04AB34D820ACA56B201B1382A880x0000000006017F80 is already equal to
00
Total time for the conversion: 9 minutes 49 seconds.6017F82 modified from 00 in
o 18
And here I tried loading the dump file in windbg 64
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\ xxxx.dmp]
Kernel Complete Dump File: Full address space is available
Comment: 'Hibernation file converted with MoonSols Memory Toolkit'
Symbol search path is: C:\windows\symbols;SRV*C:\windows\symbols*http://msdl.microsoft.com/downloa…
Executable search path is:
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540
Debugger can not determine kernel base address
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533
Machine Name:
Kernel base = 0xfffff800`02e1b000 PsLoadedModuleList = 0xfffff800`0305e6d0
Debug session time: Sun Mar 2 21:08:59.275 2014 (UTC + 0:00)
System Uptime: 0 days 7:22:16.509
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540
*** ERROR: Module load completed but symbols could not be loaded for Unknown_Module_8b4820ec`83485540
Debugger can not determine kernel base address
Loading Kernel Symbols
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
.Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
Image path too long, possible corrupt data.
Loading unloaded module list
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.
WARNING: .reload failed, module list may be incomplete
GetContextState failed, 0xD0000147
CS descriptor lookup failed
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get program counter
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4D415454, {1, 2, 3, 4}
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
***** Debugger could not find nt in module list, module list might be corrupt, error 0x80070057.
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )
Followup: MachineOwner
---------
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
-----Original Message-----
From: AAron Walters [mailto:awalters@4tphi.net]
Sent: 02 March 2014 20:50
To: Smelkovs, Konrads (London)
Cc: Michael Ligh
Subject: RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64
Hi Konrads,
Nice to meet you. Thank for joining the mailing list.
Is the machine you are trying to analyze part of an investigation or a test machine? A physical machine or a virtual machine? Does it have any unusual devices connected to it?
If you convert the sample to windbg format using the MoolSols tools, will it load in windows debugger?
Thanks,
AAron Walters
The Volatility Foundation
On Sun, 2 Mar 2014, Smelkovs, Konrads (London) wrote:
> Hi,
>
> Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What tools would you suggest to use instead?
>
>
> -----Original Message-----
> From: Michael Ligh [mailto:michael.ligh@mnin.org]
> Sent: 02 March 2014 16:25
> To: Smelkovs, Konrads (London)
> Cc: vol-users(a)volatilityfoundation.org
> Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64
>
> Hi Konrads,
>
> Thanks for the output. At the moment, its looks like the page table is corrupt (based on the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way outside the size of your file). Whether the acquisition tool or Volatility's address space parser is to blame, I'm not currently sure. Can you answer a few additional questions, please:
>
> * Does it also hang on Linux also, or does it complete sometime after printing those "None object instantiated: Unable to read_long_long_phys" messages?
> * What tool did you acquire memory with? Is it possible to re-acquire in a different format, such as a Windows crash dump?
>
> Thanks,
> Michael
>
>
> This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it.
> This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it.
> Any communications made with KPMG may be monitored and a record may be kept of any communication.
> Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter.
> A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office.
> KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.
>
This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it.
Any communications made with KPMG may be monitored and a record may be kept of any communication.
Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.
Working on a system that has been beaconing out to bad places and noticed
this in the 'pstree' output (abbreviated):
Name Pid PPid
-------------------------------------------------- ------ ------
0x894ca030:csrss.exe 580 484 ...
0x8f25b5b0:wininit.exe 632 484 ...
. 0x8f379d40:services.exe 692 632 ...
.. 0xb12484c0:FireSvc.exe 2064 692 ...
.. 0xaecc6d40:svchost.exe 3332 692 ...
...
.. 0xb3eeb030:svchost.exe 3780 692 ...
.. 0x85e518e8:msdtc.exe 5332 692 ...
... 0x82651d40:explorer.exe 5400 5332 ...
.... 0x85dcc3b0:pmcs.exe 1608 5400 ...
.... 0x85dc9240:EpePcMonitor.e 6108 5400 ...
.... 0x85c92030:BTTray.exe 4744 5400 ...
.... 0x8652c928:iexplore.exe 7028 5400 ...
..... 0x86721030:iexplore.exe 7364 7028 ...
...... 0x866f2030:jp2launcher.ex 5356 7364 ...
....... 0x8678c408:java.exe 7700 5356 ...
...
Is it just me or is msdtc.exe a very odd parent for explorer.exe? I would
normally expect userinit.exe to start explorer and then exit, leaving it
with no visible parent.
Any input appreciated...
-=[ Steve ]=-
Hello,
C:\ >volatility-2.3.1.standalone.exe -f C:\image.raw kdbgscan --profile=Win7SP1x64
Volatility Foundation Volatility Framework 2.3.1
.....
Never finishes - analysing 8 gig dump, CPU max. Help?
This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it.
Any communications made with KPMG may be monitored and a record may be kept of any communication.
Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.
Hi list,
I'm currently doing some memory analysis, and I'm using Notepad on Windows 7 x64 as an example.
My question is this: is there any way to link a _FILE_OBJECT back to the process that generated it, without a valid handle, or an entry in the VAD tree.
This article discusses it: http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processe… - however, this approach only works if there is a valid handle for the open file.
Here's an example:
I open notepad, and open a simple text file that contains "This is the contents of the file". Performing a scan over the memory dump reveals this data in two locations:
1 - 0x1448f000 - This is the contents of the file found through the _FILE_OBJECT->SectionObjectPointers->DataSectionObject. This points to a control area, and through that I can locate the Subsection-BasePTE which shows that the page is in transition and has a PFN of 0x1448f. So this allows me to the find the data through the _FILE_OBJECT
2 - 0x39d336b0 - This address is currently part of Notepad's private heap, which is where the data has been mapped into.
So examining the two pages through WinDbg gives me this information:
lkd> !pfn 1448f PFN 0001448F at address FFFFFA80003CDAD0 flink 00015B8F blink / share count 00013ED5 pteaddress FFFFF8A0008AD010 reference count 0000 used entry count 0000 Cached color 0 Priority 5 restore pte FA800325553004C0 containing page 00ABBA Standby P Shared lkd> !pte FFFFF8A0008AD010 1 VA fffff8a0008ad010PXE at FFFFF8A0008AD010 PPE at FFFFF8A0008AD010 PDE at FFFFF8A0008AD010 PTE at FFFFF8A0008AD010contains 000000001448F8C0not valid Transition: 1448f Protect: 6 - ReadWriteExecute
As can be seen, the page containing the original data is shared, is on the standby list, and points to a prototype PTE.
lkd> !pfn 39d33 PFN 00039D33 at address FFFFFA8000AD7990 flink 00039D88 blink / share count 00039D1E pteaddress FFFFF6800001CAC8 reference count 0000 used entry count 0000 Cached color 0 Priority 3 restore pte 1635500000080 containing page 0274B8 Standby
lkd> !pte FFFFF6800001CAC8 1 VA fffff6800001cac8PXE at FFFFF6800001CAC8 PPE at FFFFF6800001CAC8 PDE at FFFFF6800001CAC8 PTE at FFFFF6800001CAC8contains 0000000000000000not valid
The PTE within Notepad's heap is marked as not valid, but also shows that the page is on the standby list.
As the page located through the FILE_OBJECT is marked as shared, and points to a prototype PTE, is there anyway of locating this prototype PTE, and using it to track back to Notepad? So for instance, would it be possible to locate the PPTE by searching memory for the 'MmSt' tag, and then parse the PPTE to gain any information. Or does the PPTE not track backwards in that way?
Essentially, if the page containing the data found through the _FILE_OBJECT is shared, what is it shared with, and is it possible to track this information, using either the PFN database, prototype PTE entries, or something else I haven't thought of.
Any input or advice would be appreciated.
Thanks
Josh.
