Re: [Vol-users] (win7x64) : creating images for volatility
23 Oct
2013
23 Oct
'13
4:20 p.m.
On 23-10-13 20:31, George M. Garner Jr. wrote:
64 GiB is a large dump. 8 GiB is standard these days.
No problems
with really LARGE memory dumps here, btw. :-) No problem acquiring
the pagefile(s) here either, in case you have some virtual memory
swapped out.
Okay. Well anyway, we'll remove a DIMM tomorrow anyway(over here in
Europe it's about 10pm by now), it will also speed up analysis I hope.
Don't bet on it. If the processor supports
virtualization extensions
(which most do nowadays), then you may be running in a hypervizor.
You have to test for that specifically.
Wait, what? Well we actually brought the
box to our office and did not
notice anything. It's just a regular computer for office applications,
on which we did not notice any hypervisor (the admin also didn't mention
anything). Furthermore, the sample refuses to run in a VM and seems to
work fine on this box. My colleague actually patched some anti-DFIR
defenses, so I don't think the infected workstation is actually running
some hypervisor.
Cheers,
Boudewijn Ector