[Vol-users] (win7x64) : creating images for volatility

Hi guys, Currently I've got a sample of an infected win7 machine with enough memory (8gb) which is not being used by anything except for 'the malware' (no running office etc) so quite a lot of stuff should not have been swapped out of memory yet. Strangely, I can't dump the process: ; vol.py -f dump.raw --profile=Win7SP1x64 procexedump -p 4932 --dump-dir results/4932.bin Volatile Systems Volatility Framework 2.2 Process(V) ImageBase Name Result ------------------ ------------------ -------------------- ------ Okay so it might be not in memory anymore... fine. So let's scan for network activity using connscan. This does not yield any results either.... just like svcscan. Also the image is very very slow... on a regular machine (core i5 2400, 20gb mem) running imageinfo on the 8gb images takes about 10 minutes. Also malfind mentions : WARNING : volatility.obj : NoneObject as string: Invalid Address 0x05140000, instantiating _MMADDRESS_NODE WARNING : volatility.obj : NoneObject as string: Invalid Address 0x05140000, instantiating _MMADDRESS_NODE WARNING : volatility.obj : NoneObject as string: Invalid Address 0x21A4C320A, instantiating _MMADDRESS_NODE WARNING : volatility.obj : NoneObject as string: Invalid Address 0x21A4C320A, instantiating _MMADDRESS_NODE Psxview says al processes are like this: 0x000000021a841060 <PROCESSNAME> 6640 False True False False False Isn't that just weird? (yes it's because psscan is the only module being able to retrieve data from memory... but isn't that strange) This makes me presume my memory images are broken. My collaegue probably (!) used winpmem -f for doing this. What's the best way to create a memory image on a windows7 x64 box without having admin? (these boxes are remotely managed and it takes a looooot of time to make sure an admin will do something). Or is this just perfectly normal behaviour and is win7x64 just being badly supported by volatility? (I know the networkbased plugins don't work but that's okay... it's being mentioned in the docs) Furthermore: during our recent volatility training (in amsterdam), we used a plugin for getting data from internet explorer history. I had a look online and didn't find it, is it non-public? Cheers, Boudewijn Ector