RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64

Hi, Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What tools would you suggest to use instead? -----Original Message----- From: Michael Ligh [mailto:michael.ligh@mnin.org] Sent: 02 March 2014 16:25 To: Smelkovs, Konrads (London) Cc: vol-users(a)volatilesystems.com Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64 Hi Konrads, Thanks for the output. At the moment, its looks like the page table is corrupt (based on the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way outside the size of your file). Whether the acquisition tool or Volatility's address space parser is to blame, I'm not currently sure. Can you answer a few additional questions, please: * Does it also hang on Linux also, or does it complete sometime after printing those "None object instantiated: Unable to read_long_long_phys" messages? * What tool did you acquire memory with? Is it possible to re-acquire in a different format, such as a Windows crash dump? Thanks, Michael This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited (together, "KPMG"). ELLP does not provide services to clients and none of its subsidiaries has authority to bind it. This email, and any attachments, is confidential and may be privileged or otherwise protected from disclosure. It is intended solely for the stated addressee(s) and access to it by any other person is unauthorised. If you are not the intended recipient, you must not disclose, copy, circulate or in any other way use or rely on the information contained herein. If you have received this email in error, please inform us immediately and delete all copies of it. Any communications made with KPMG may be monitored and a record may be kept of any communication. Any opinion or advice contained herein is subject to the terms and conditions set out in your KPMG LLP client engagement letter. A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered office. KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited (registered no. 03580549) are companies registered in England and Wales. Each entity's registered office is at 15 Canada Square, London, E14 5GL.