Re: [Vol-users] BSOD while collecting a memory image
10 Mar
2012
10 Mar
'12
8:38 a.m.
Mike,
2. Is the "full memory dump" comaptible with
Volatility?
Yes. Volatility has support for samples in "full" crash dump format. If
you have any difficulties, please let us know. Any feedback on samples
collected from 64 bit machines would also be appreciated.
Question: Has someone gotten a full memory dump on
BSOD and successfully
processed it with Volatility?
Yes.
Question: Has anyone else thought about how to deal
with BSOD and
analysis? If it is not something that the list is interested in, we
could take this offline.
The format for crash dumps is well understood (thanks Andreas!). There are
even a number of tools that are capable of capturing samples in DMP format
(ie kntdd, moonsols). Unfortunately, there are a number of challenges
with relying on Window's ability to capture crash dumps (see Suiche's
presentations). I do know of organizations that preconfigured their
machines to support crash dumps before there were reliable acquisition
tools.
Thanks,
AW