(Argh, sorry if you just received a messed email. Darn keyboard shortcuts. Anyway...)
Hi all,
CORPORATE BLOG WARNING!
In case you were dozing and missed it, I posted a blog entry today on using Volatility in anger.
I used it to analyse a hiberfil.sys and identify a few things about a keylogger that was running on a client's system.
I tried to make it as detailed as possible, specifically around the Volatility commands I was using and why I chose them.
Andrew Case has already been kind enough to provide me with some feedback, which I shall take the liberty of sharing below:
"When you ran dlldump to grab the WinInstall.dll you could have used '-b
0x000007fef5930000' to only get the DLL you wanted instead of all of
them. That address comes from dlllist output and its where the DLL is
loaded into memory."
"For finding the service you could have tried the 'svcscan' plugin and if
you do 'svcscan -v', it will list the path of the DLL or driver used to
start the service. That is easier than searching through the registry."