Good point! I'll make a note to test which ones do that. I was fortunate with the last Zues I tested, I found it in the hiberfil.sys. (Win32dd and fdpro images did not complete so I went for the hibernate)
Do you know which ones remove themselves? I'd like to test catching them in a memory image, hibernate, and a keyboard generated crash.
Is there malware that stops all imaging programs and removes itself for hibernate and crash dump? Does it overwrite itself in memory too? That is an interesting problem! hopefully it is not widespread in the wild.
> Date: Fri, 9 Mar 2012 12:23:51 -0500
> From: ggarner_online@gmgsystemsinc.com
> To: vol-users@volatilityfoundation.org
> Subject: Re: [Vol-users] BSOD while collecting a memory image
>
> On 3/9/2012 11:54 AM, Mike Lambert wrote:
> >
> > My ultimate backup plan is to hibernate and convert the hiberfil.sys.
> > That works so I'm not stuck with nothing.
>
> Except that a lot of malware nowadays will remove itself from memory
> during the crashdump or hibernation process. You will still catch the
> script kiddies, of course.
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users