RE: [Vol-users] BSOD while collecting a memory image
9 Mar
2012
9 Mar
'12
12:44 p.m.
Good point! I'll make a note to test which ones do that. I was fortunate with the last
Zues I tested, I found it in the hiberfil.sys. (Win32dd and fdpro images did not complete
so I went for the hibernate)
Do you know which ones remove themselves? I'd like to test catching them in a memory
image, hibernate, and a keyboard generated crash.
Is there malware that stops all imaging programs and removes itself for hibernate and
crash dump? Does it overwrite itself in memory too? That is an interesting problem!
hopefully it is not widespread in the wild.
Thanks!
Mike Lambert
Date: Fri, 9 Mar 2012 12:23:51 -0500
From: ggarner_online(a)gmgsystemsinc.com
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] BSOD while collecting a memory image
On 3/9/2012 11:54 AM, Mike Lambert wrote:
My ultimate backup plan is to hibernate and convert the hiberfil.sys.
That works so I'm not stuck with nothing.
Except that a lot of malware nowadays will remove itself from memory
during the crashdump or hibernation process. You will still catch the
script kiddies, of course.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- attachment.html (text/html — 1.7 KB)