No cheating taking place. I am teaching the class. I just started to have the students use vol for memory analysis. It worked on two other images from the same scenario, which I would think were acquired the same way. One was a Vista box and the other Win2K3.

On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy@gmail.com> wrote:
Cool, no worries.  I'm guessing it was missed in the crossfire.

Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd

of course I could be wrong since "AD" may refer to something else...

Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else.  BTW, we aren't helping
you cheat are we?  ;-) The thought occurred to me that this sample
could be intentionally broken.



On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop@gmail.com> wrote:
> The answer to that question was in previous email where I posted the entire
> kdbgscan output. I believe the mdd was used to acquire the image.
>
>
> On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <michael.hale@gmail.com>
> wrote:
>>
>> Hey Jon,
>>
>> > Was there any more output from kdbgscan (other than what you pasted
>> > in the first email)? If so can you paste the entire output of kdbgscan,
>> > please?
>>
>> You didn't answer that question above...does that mean there is *not* any
>> additional kdbgscan output other than what you pasted in the first email?
>>
>> Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
>> commands also? What software was used to acquire the memory dump?
>>
>> Thanks,
>> MHL
>>
>> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop@gmail.com> wrote:
>>>
>>> As far as modscan I also just get the header and nothing further.
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>>> <michael.hale@gmail.com> wrote:
>>>>
>>>> Hey Jon,
>>>>
>>>> Was there any more output from kdbgscan (other than what you pasted in
>>>> the first email)? If so can you paste the entire output of kdbgscan, please?
>>>>
>>>> The fact that psscan doesn't show results is definitely strange. What
>>>> about the modscan command?
>>>>
>>>> Thanks!
>>>> MHL
>>>>
>>>>
>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop@gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop@gmail.com> wrote:
>>>>>>
>>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>>>>>>
>>>>>> and...
>>>>>>
>>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>>>>>>
>>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno@gmail.com>
>>>>>> wrote:
>>>>>>>
>>>>>>> Can you paste the command line invocation you are running Vol with?
>>>>>>>
>>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop@gmail.com> wrote:
>>>>>>> > I am using the 2.1 Windows standalone exe.
>>>>>>> >
>>>>>>> > I have a dd image of memory from the subject operating system and
>>>>>>> > when I try
>>>>>>> > to use pslist with the Win2008SP1x86 profile I get the following
>>>>>>> > errors:
>>>>>>> >
>>>>>>> > Traceback (most recent call last):
>>>>>>> >   File "<string>", line 185, in <module>
>>>>>>> >   File "<string>", line 176, in main
>>>>>>> >   File
>>>>>>> >
>>>>>>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>>>>>> > line 111, in execute
>>>>>>> >   File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
>>>>>>> > render_text
>>>>>>> >   File
>>>>>>> >
>>>>>>> > "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>>>>>> > line 72, in pslist
>>>>>>> >   File
>>>>>>> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>>>>>> > line 40, in processes
>>>>>>> > AttributeError: Could not list tasks, please verify your --profile
>>>>>>> > with
>>>>>>> > kdbgscan
>>>>>>> >
>>>>>>> >
>>>>>>> > When I try to verify my profile with kdbgscan I get the following
>>>>>>> > for all
>>>>>>> > profiles:
>>>>>>> >
>>>>>>> >  **************************************************
>>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>>>>>>> > Offset (V)                    : 0x8193ec90
>>>>>>> > Offset (P)                    : 0x193ec90
>>>>>>> > KDBG owner tag check          : True
>>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>>>>>> > Version64                     : 0x8193ec68 (Major: 15, Minor: 6001)
>>>>>>> > Service Pack (CmNtCSDVersion) : 1
>>>>>>> > Build string (NtBuildLab)     : 6001.18000.x86fre.longhorn_rtm.0
>>>>>>> > PsActiveProcessHead           : 0x81954990 (0 processes)
>>>>>>> > PsLoadedModuleList            : 0x8195ec70 (0 modules)
>>>>>>> > KernelBase                    : 0x81847000 (Matches MZ: True)
>>>>>>> > Major (OptionalHeader)        : 6
>>>>>>> > Minor (OptionalHeader)        : 0
>>>>>>> > KPCR                          : 0x8193f800 (CPU 0)
>>>>>>> > KPCR                          : 0x803d1000 (CPU 1)
>>>>>>> >
>>>>>>> > Any help would be greatly appreciated.
>>>>>>> >
>>>>>>> > Jon
>>>>>>> >
>>>>>>> > _______________________________________________
>>>>>>> > Vol-users mailing list
>>>>>>> > Vol-users@volatilityfoundation.org
>>>>>>> > http://lists.volatilesystems.com/mailman/listinfo/vol-users
>>>>>>> >
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Vol-users mailing list
>>>>> Vol-users@volatilityfoundation.org
>>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>>
>>>>
>>>
>>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>



--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92