Thanks and that makes sense. The 2nd System process at the end that George noticed yesterday is found by psscan but not in any other lists, that makes sense also. 

MHL

On Fri, Aug 17, 2012 at 10:40 AM, Armet, Lee <Lee.Armet@td.com> wrote:

Yeah, I realize what I had done.

 

I used mount_ewf.py to mount the memory images to /mnt/ewf

I copied the file from /mnt/ewf to /home/sansforensics/Desktop/VM…/

 

The file did NOT completely copy over…and was only 1.8gb of the 3.3gb it should have been. My mistake!

 

My psxview looks great now:

 

root@SIFT-Workstation:/home/sansforensics/Desktop/VMware-Shared-Drive/myCases/2012-08-0016/mits# vol.py -f mits_ram --profile=Win7SP0x86 psxview

Volatile Systems Volatility Framework 2.2_alpha

Offset(P)  Name                    PID pslist psscan thrdproc pspcdid csrss

---------- -------------------- ------ ------ ------ -------- ------- -----

0xcd1cf030 ccSvcHst.exe           3040 True   True   True     True    True

0xcd322340 svchost.exe             724 True   True   True     True    True

0xcf35d7a0 ISUSPM.exe             3956 True   True   True     True    True

0xcf335708 pdfPro5Hook.ex         3832 True   True   True     True    True

0xcd097930 svchost.exe            1764 True   True   True     True    True

0xcd439910 csrss.exe               432 True   True   True     True    False

0xcd2edb18 dwm.exe                3416 True   True   True     True    True

0xcd348318 svchost.exe             804 True   True   True     True    True

0xcd181030 Smc.exe                2256 True   True   True     True    True

0xcf35b930 BrCcUxSys.exe          1136 True   True   True     True    True

0xcd2bf340 explorer.exe           3492 True   True   True     True    True

0x05760020 System                    4 True   True   True     True    False

0xcd2aa030 wininit.exe             504 True   True   True     True    True

0xcf360750 SearchIndexer.         2588 True   True   True     True    True

0xcd685030 spoolsv.exe            1460 True   True   True     True    True

0xcd2dd128 lsass.exe               600 True   True   True     True    True

0xcd2d9030 winlogon.exe            592 True   True   True     True    True

0xcce07708 BrYNSvc.exe            4080 True   True   True     True    True

0xcf31c030 BrStMonW.exe           3936 True   True   True     True    True

0xcd695b38 armsvc.exe             1584 True   True   True     True    True

0xcda012b0 lsm.exe                 632 True   True   True     True    True

0xcdc8ebd8 audiodg.exe            3144 True   True   True     True    True

0xcdcfb4c0 smss.exe                304 True   True   True     True    False

0xcd0535e0 svchost.exe            1492 True   True   True     True    True

0xcdb93030 conhost.exe            1324 True   True   True     True    True

0xcd3a0030 svchost.exe             996 True   True   True     True    True

0xcf300800 jusched.exe            3680 True   True   True     True    True

0xcd2d5548 services.exe            568 True   True   True     True    True

0xcd6b0ad0 PDFProFiltSrvP         1620 True   True   True     True    True

0xcd36b638 BrCtrlCntr.exe         3984 True   True   True     True    True

0xcd389958 svchost.exe             940 True   True   True     True    True

0xcddc7030 winen.exe              3160 True   True   True     True    True

0xcddaad40 sppsvc.exe             3276 True   True   True     True    True

0xcf18c998 cmd.exe                3052 True   True   True     True    True

0xcdb7d9e0 w3dbsmgr.exe           1656 True   True   True     True    True

0xcd1e3b50 taskhost.exe           3308 True   True   True     True    True

0xcd7ed830 ccSvcHst.exe           1716 True   True   True     True    True

0xcd3e15e8 agent.exe              2584 True   True   True     True    True

0xcf3304a0 pptd40nt.exe           3772 True   True   True     True    True

0xcd3db030 svchost.exe            1156 True   True   True     True    True

0xcf390728 svchost.exe             796 True   True   True     True    True

0xcd016930 svchost.exe            1332 True   True   True     True    True

0xcd36b030 svchost.exe             888 True   True   True     True    True

0xce7ffc28 HP1006MC.EXE           3232 True   True   True     True    True

0xcd2aa878 csrss.exe               512 True   True   True     True    False

0xcd152d40 wuauclt.exe            2908 True   True   True     True    True

0x8824fd79 System                    4 False  True   False    False   False

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

O:416-982-6855 | M:647-242-0002

 

From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Friday, August 17, 2012 10:00 AM
To: Armet, Lee
Cc: phocean; vol-users@volatilityfoundation.org


Subject: Re: [Vol-users] Interesting finding

 

Hi Lee, 

 

Thanks for the follow-up. Two questions:

 

1) Are you sure the original image is corrupt? You may just need to specify a different dtb or kdbg on command-line. See [ref1] and [ref2]

2) On this new image, I'm assuming the output of psxview looks a lot more reasonable?

 

 

Thanks,

MHL

 

On Fri, Aug 17, 2012 at 9:08 AM, Armet, Lee <Lee.Armet@td.com> wrote:

Here is my pstree:

 

root@SIFT-Workstation:/mnt/hgfs/myCases/2012-08-0016/mits# vol.py -f mits_ram --profile=Win7SP0x86 pstree

Volatile Systems Volatility Framework 2.2_alpha

Name                                                  Pid   PPid   Thds   Hnds Time               

-------------------------------------------------- ------ ------ ------ ------ --------------------

0x878aa878:csrss.exe                                 512    496     11    400 2012-08-14 12:05:08

. 0x87193030:conhost.exe                             1324    512      2     54 2012-08-14 17:56:47

 0x878d9030:winlogon.exe                              592    496      3    122 2012-08-14 12:05:08

 0x878aa030:wininit.exe                               504    380      3     79 2012-08-14 12:05:08

. 0x878d5548:services.exe                             568    504      7    233 2012-08-14 12:05:08

.. 0x879db030:svchost.exe                            1156    568     17    361 2012-08-14 12:05:10

.. 0x87a535e0:svchost.exe                            1492    568     18    305 2012-08-14 12:05:11

.. 0x85960750:SearchIndexer.                         2588    568     14    938 2012-08-14 12:07:17

.. 0x87948318:svchost.exe                             804    568      9    296 2012-08-14 12:05:10

.. 0x85990728:svchost.exe                             796    568      5     78 2012-08-14 12:07:18

.. 0x87989958:svchost.exe                             940    568     24    509 2012-08-14 12:05:10

... 0x878edb18:dwm.exe                               3416    940      5    111 2012-08-14 12:07:10

.. 0x8796b030:svchost.exe                             888    568     19    504 2012-08-14 12:05:10

... 0x86e8ebd8:audiodg.exe                           3144    888      5    129 2012-08-14 17:53:07

.. 0x87a16930:svchost.exe                            1332    568     16    524 2012-08-14 12:05:10

.. 0x87485030:spoolsv.exe                            1460    568     17    396 2012-08-14 12:05:11

.. 0x86faad40:sppsvc.exe                             3276    568      4    166 2012-08-14 17:54:40

.. 0x8717d9e0:w3dbsmgr.exe                           1656    568     11    197 2012-08-14 12:05:11

.. 0x875ed830:ccSvcHst.exe                           1716    568     62   1441 2012-08-14 12:05:11

... 0x87bcf030:ccSvcHst.exe                          3040   1716     19    293 2012-08-14 12:07:09

.. 0x874b0ad0:PDFProFiltSrvP                         1620    568      5     60 2012-08-14 12:05:11

.. 0x87495b38:armsvc.exe                             1584    568      4     67 2012-08-14 12:05:11

.. 0x87a97930:svchost.exe                            1764    568     10    159 2012-08-14 12:05:11

.. 0x87b81030:Smc.exe                                2256    568     23    637 2012-08-14 12:05:17

.. 0x879a0030:svchost.exe                             996    568     32   1103 2012-08-14 12:05:10

... 0x87b52d40:wuauclt.exe                           2908    996      3     91 2012-08-14 12:08:36

.. 0x87be3b50:taskhost.exe                           3308    568      8    187 2012-08-14 12:07:10

.. 0x87c07708:BrYNSvc.exe                            4080    568      7    128 2012-08-14 12:07:12

.. 0x87922340:svchost.exe                             724    568      9    368 2012-08-14 12:05:09

... 0x879e15e8:agent.exe                             2584    724      6    259 2012-08-14 12:17:14

... 0x865ffc28:HP1006MC.EXE                          3232    724      5     85 2012-08-14 12:07:09

. 0x878dd128:lsass.exe                                600    504      7    660 2012-08-14 12:05:08

. 0x870012b0:lsm.exe                                  632    504     10    140 2012-08-14 12:05:09

 0x87639910:csrss.exe                                 432    380      9    682 2012-08-14 12:05:07

 0x878bf340:explorer.exe                             3492   3260     24    852 2012-08-14 12:07:10

. 0x85b8c998:cmd.exe                                 3052   3492      1     20 2012-08-14 17:56:47

.. 0x86fc7030:winen.exe                              3160   3052      3     86 2012-08-14 17:57:20

. 0x85935708:pdfPro5Hook.ex                          3832   3492      2     55 2012-08-14 12:07:11

. 0x859304a0:pptd40nt.exe                            3772   3492      3     72 2012-08-14 12:07:11

. 0x85900800:jusched.exe                             3680   3492      1     42 2012-08-14 12:07:11

. 0x8591c030:BrStMonW.exe                            3936   3492      5    143 2012-08-14 12:07:12

. 0x8595d7a0:ISUSPM.exe                              3956   3492      7    248 2012-08-14 12:07:12

 0x8796b638:BrCtrlCntr.exe                           3984   3916      2    142 2012-08-14 12:07:12

. 0x8595b930:BrCcUxSys.exe                           1136   3984      2     92 2012-08-14 12:07:12

 0x85760020:System                                      4      0    124    599 2012-08-14 12:05:00

. 0x86efb4c0:smss.exe                                 304      4      2     33 2012-08-14 12:05:00

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

O:416-982-6855 | M:647-242-0002

 

From: Michael Hale Ligh [mailto:michael.hale@gmail.com]

Sent: Thursday, August 16, 2012 2:20 PM
To: phocean; Armet, Lee
Cc: vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding

 

So the weird PID is because the pid column is fixed width for an unsigned short (since the maximum pid is 65535) however the EPROCESS.UniqueProcessId is actually defined as an unsigned int. So what happened is psscan (process pool scanner) picked up a possible structure whose UniqueProcessId value is larger than any valid PID and it gets shortened to "14...5" to fit in the column. I suppose we should fix it so that the whole unsigned int can fit even though those entries are likely to be false positives or a real EPROCESS structure but the pid member has been overritten. 

 

But yes the False in pslist, thrdproc, etc is strange. Does the pslist command work on your image? Also can you paste the full command-line your're using (not just the output)? 

 

Thanks,

MHL

On Thu, Aug 16, 2012 at 1:47 PM, phocean <0x90@phocean.net> wrote:

Personally no, but they will probably more competent people who will answer.

The most surprising is not weird PID but that most processes are hidden from pslist.

Isn't it just a bug or can you tell more about the context ?

 

--- phocean

 

 

 

 

Le 16 août 2012 à 17:51, "Armet, Lee" <Lee.Armet@td.com> a écrit :

 

Anyone ever see this?

 

0x2253cfb9                     14...5 False  True   False    False   False

 

 

Volatile Systems Volatility Framework 2.2_alpha

Offset(P)  Name                    PID pslist psscan thrdproc pspcdid csrss

---------- -------------------- ------ ------ ------ -------- ------- -----

0x05760020 System                    4 True   True   True     True    False

0x19863d21 svchost.exe             804 False  True   False    False   False

0x18fa330d pdfPro5Hook.ex         3832 False  True   False    False   False

0x18a9d585 cmd.exe                3052 False  True   False    False   False

0x2eac4d45 svchost.exe             724 False  True   False    False   False

0x1d844541 taskhost.exe           3308 False  True   False    False   False

0x190203a9 ISUSPM.exe             3956 False  True   False    False   False

0x18b2d26a System                    4 False  True   False    False   False

0x0c1577ed sppsvc.exe             3276 False  True   False    False   False

0x190b1335 svchost.exe             796 False  True   False    False   False

0x13473a2d wininit.exe             504 False  True   False    False   False

0x2253cfb9                     14...5 False  True   False    False   False

0x22e79729 wuauclt.exe            2908 False  True   False    False   False

0x21442a21 ccSvcHst.exe           3040 False  True   False    False   False

0x18f75c35 BrStMonW.exe           3936 False  True   False    False   False

0x19044359 SearchIndexer.         2588 False  True   False    False   False

0x22209305 svchost.exe            1332 False  True   False    False   False

0x1900a539 BrCcUxSys.exe          1136 False  True   False    False   False

0x227df30d svchost.exe            1764 False  True   False    False   False

0x3accbd3d explorer.exe           3492 False  True   False    False   False

0x18f980a5 pptd40nt.exe           3772 False  True   False    False   False

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

 

 

 


NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller auwww.td.com/francais/avis_juridique pour des instructions.

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

 


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users