Re: [Vol-users] Strange results
6 Dec
2014
6 Dec
'14
5:59 p.m.
Was this the free dumpit? If so, that version regularly produces corrupt
captures on Win7 x64 systems, especially those with 8GB or more of RAM.
Is the system still available to pull a memory capture from with a
different tool? If not, you can try the scanning plugins (psscan,
modscan, netscan, ...) to see if the pages holding those data structures
were captured correctly.
Also, did the system really only have one processor (e.g. no cores?).
Wondering if that data was corrupted as well.
Thanks,
Andrew (@attrc)
On 12/05/2014 07:47 AM, James Lay wrote:
So here's what I got all...an image of a laptop
running Windows 7 64
bit...image was captured using DumpIt in an admin console:
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64, Win7SP1x64,
Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/jlay/Forensics/FMCCOMBS-20141203-153133.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0x1b430010a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80003002d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2014-12-03 15:31:47 UTC+0000
Image local date and time : 2014-12-03 08:31:47 -0700
Running "python vol.py -f ~/Forensics/FMCCOMBS-20141203-153133.raw
--profile Win7SP1x64 pslist"
gets me:
Offset(V) Name PID PPID Thds
Hnds Sess Wow64 Start Exit
0xfffffa800694ab30 System 4 0 141
-1 1191132111 0 2014-12-01 15:40:49 UTC+0000
0xfffffa800ae934f0 ?b?_?b?_?b?_?b?_ 1606836934 1606836934 1606836934
-1 -1 1 -
And that's it. Any hints on just why this isn't showing any processes?
Volatility version is 2.4 running on Ubuntu 14 64 bit. Thank you.
James
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users