12:15 p.m.
Hi Kim,
Yes, unfortunately we're only able to enumerate 1 process in the linked
list. This typically happens when the acquisition tool fails to acquire
one or more pages of memory containing the necessary puzzle pieces (or
"links"). In some cases, if its a minor smearing issue, you can still
salvage some data by using psscan, which does a brute force scan of the
entire memory dump for processes (even if they aren't linked). However,
I noticed your psscan results only had 2 entries. This means the
acquisition tool failed to acquire a whole lot more than just a couple
pages. In the past, we've seen that happen quite a bit with DumpIt, FTK
Imager, and Memoryze.
Do you still have access to the suspect machine by any chance?
Thanks,
Michael
On 7/25/16 11:07 AM, Kim Palechek wrote:
Thank you so much for getting back so quickly. Below
are the results of the kdbgscan. Encase is the tool used for acquisition.
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP0x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
Kim Palechek, CISSP, CEH
IT Security Operations Specialist, (Information Security, Risk and Compliance)
3M Information Technology
3M Center, Bldg, 0224-04-E-21
Phone: 736-6526
kspalechek(a)mmm.com
The absence of evidence is not the evidence of absence.
On 7/25/16, 10:53 AM, "Michael Ligh" <michael.ligh(a)mnin.org> wrote:
Hi Kim,
Could you run kdbgscan --profile=Win2008R2SP1x64 on it and paste the
results?
Also, do you know what tool was used for acquisition? My gut feeling is
this is probably related to a bad capture, but I'll wait on the kdbgscan
results to tell for sure.
Thanks,
Michael
On 7/25/16 7:42 AM, Kim Palechek wrote:
I need some assistance with an issue that I
recently came across. I am
trying to run volatility plugins against the image Win2008R2SP1x64 and
it doesn’t seem to be providing complete information. Below are a few
examples. Any ideas on the ‘lack of information’?
$ *vol.py pstree*
Volatility Foundation Volatility Framework 2.5
Name Pid PPid
Thds Hnds Time
-------------------------------------------------- ------ ------ ------
------ ----
0xfffffa8024e15040: 0 0 0
------ 1970-01-01 00:00:00 UTC+0000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ *vol.py psscan*
Volatility Foundation Volatility Framework 2.5
Offset(P) Name PID PPID PDB
Time created Time exited
------------------ ---------------- ------ ------ ------------------
------------------------------ ------------------------------
0x00000000023551b0 conhost.exe 13692 372 0x0000000058bbe000
2016-07-18 18:05:03 UTC+0000 2016-07-18 18:06:09 UTC+0000
0x000000000235b060 WmiPrvSE.exe 4540 636 0x00000000b4803000
2016-07-18 18:06:51 UTC+0000 2016-07-18 18:08:23 UTC+0000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ *vol.py pslist*
Volatility Foundation Volatility Framework 2.5
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ ------------------------------ ------------------------------
0xfffffa8024e15040 0 0 0 --------
------ 0
*/Kim Palechek, CISSP, CEH
/*IT Security Operations Specialist, (Information Security, Risk and
Compliance)
3M Information Technology
3M Center, Bldg, 0224-04-E-21
Phone: 736-6526
kspalechek(a)mmm.com <mailto:kspalechek@mmm.com>
The absence of evidence is not the evidence of absence.
3M security scanners have not detected any malicious content in this message.
To report this email as SPAM, please forward it to spam(a)websense.com