4:41 p.m.
Greetings,
That is a mighty fine question. Another VM coming up. (New dev system, real Windows box at
home.)
-David
On Oct 4, 2012, at 3:33 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
I'm curious, does redline give you any indication
of what os this is,
or where anything useful like where PsActiveProcessHead is?
On Thu, Oct 4, 2012 at 4:31 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
All three Win2003 x86 profiles failed....
I tried the two x64 profiles as well, no joy.
-David
On Oct 4, 2012, at 3:30 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 Just to be sure.... did you try all Win 2003 x86
profiles?
On Thu, Oct 4, 2012 at 4:28 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
The same error, or lack of output, with psscan.
BTW - I am building up a Linux VM and will try this again on that VM.
-David
DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86 psscan
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID PPID PDB Time created Time exited
---------- ---------------- ------ ------ ---------- --------------------
--------------------
No suitable address space mapping found
Tried to open image as:
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemory: Module disabled
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64: Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected
JKIA32PagedMemory: No valid DTB found
IA32PagedMemoryPae: Module disabled
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
On Oct 4, 2012, at 3:18 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
> have you tried any of the scanning plugins? like psscan, modscan or similar?
>
>
> On Thu, Oct 4, 2012 at 4:16 PM, David Kovar <dkovar(a)gmail.com> wrote:
>> Greetings,
>>
>> Two different samples, both fail for different reasons. These are supposedly raw
memory samples collected from servers using FTK Imager. The one sample that generates a
profile loads into Redline and produces all the normal info I'd expect. The other
sample, the one that produces no results with imageinfo, may be bad. I've not loaded
it into Redline yet.
>>
>> -David
>>
>> On Oct 4, 2012, at 3:14 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
>>
>>> hrmmm strange... Am I missing something or are you asking about two
>>> different samples? I see two different file names, but you're writing
>>> this as if they are one. Are these raw memory samples? Do you have
>>> any idea what the system might be? Have you tried any of the scanning
>>> plugins? Which of these two samples did you run redline on and what
>>> did you get back... any valid info?
>>>
>>>
>>>
>>> On Thu, Oct 4, 2012 at 2:58 PM, David Kovar <dkovar(a)gmail.com> wrote:
>>>> Greetings,
>>>>
>>>> I am unable to get a viable profile for two different images. I built
V2.2 on a MacBook Pro running 10.8.2.
>>>>
>>>> This one may be a bad image:
>>>>
>>>> <kdbgscan returns silently>
>>>> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp kdbgscan
>>>> Volatile Systems Volatility Framework 2.2
>>>>
>>>> DawnTreader:Mem Analysis kovar$ vol.py -f *dmp imageinfo
>>>> Volatile Systems Volatility Framework 2.2
>>>> Determining profile based on KDBG search...
>>>>
>>>> Suggested Profile(s) : No suggestion (Instantiated with no
profile)
>>>> AS Layer1 : FileAddressSpace (/Users/kovar/Mem
Analysis/redacted-27-09-2012-10-47-50.dmp)
>>>> PAE type : No PAE
>>>>
>>>> ----------------
>>>>
>>>>
>>>> But this one loads in Mandiant Redline but Volatility will not produce
any valid results. I've tried all three profiles with no success.
>>>>
>>>> DawnTreader:Mem Analysis kovar$ vol.py -f *mem imageinfo
>>>> Volatile Systems Volatility Framework 2.2
>>>> Determining profile based on KDBG search...
>>>>
>>>> Suggested Profile(s) : Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
>>>> AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
>>>> AS Layer2 : FileAddressSpace (/Users/kovar/Mem
Analysis/redacted_memdump.mem)
>>>> PAE type : PAE
>>>> DTB : 0x1595000L
>>>> KDBG : 0x808943e0
>>>> Number of Processors : 2
>>>> Image Type (Service Pack) : 2
>>>> KPCR for CPU 0 : 0xffdff000
>>>> KPCR for CPU 1 : 0xf772f000
>>>> KUSER_SHARED_DATA : 0xffdf0000
>>>> Image date and time : 2012-10-01 19:31:06 UTC+0000
>>>> Image local date and time : 2012-10-01 13:31:06 -0600
>>>>
>>>> DawnTreader:Mem Analysis kovar$ vol.py -f *mem kdbgscan
>>>> Volatile Systems Volatility Framework 2.2
>>>> **************************************************
>>>> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem
Win2003SP0x86 (5.2.3789 32bit)
>>>> Offset (P) : 0x8943e0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win2003SP1x86
>>>> Version64 : 0x8943b8 (Major: 15, Minor: 3790)
>>>> PsActiveProcessHead : 0x808ad0c8
>>>> PsLoadedModuleList : 0x808a6ea8
>>>> KernelBase : 0x80800000
>>>>
>>>> **************************************************
>>>> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem
Win2003SP0x86 (5.2.3789 32bit)
>>>> Offset (P) : 0x8943e0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win2003SP2x86
>>>> Version64 : 0x8943b8 (Major: 15, Minor: 3790)
>>>> PsActiveProcessHead : 0x808ad0c8
>>>> PsLoadedModuleList : 0x808a6ea8
>>>> KernelBase : 0x80800000
>>>>
>>>> **************************************************
>>>> Instantiating KDBG using: /Users/kovar/Mem Analysis/redacted.mem
Win2003SP0x86 (5.2.3789 32bit)
>>>> Offset (P) : 0x8943e0
>>>> KDBG owner tag check : True
>>>> Profile suggestion (KDBGHeader): Win2003SP0x86
>>>> Version64 : 0x8943b8 (Major: 15, Minor: 3790)
>>>> PsActiveProcessHead : 0x808ad0c8
>>>> PsLoadedModuleList : 0x808a6ea8
>>>> KernelBase : 0x80800000
>>>>
>>>>
>>>> DawnTreader:Mem Analysis kovar$ vol.py -f *mem --profile=Win2003SP0x86
pslist
>>>> Volatile Systems Volatility Framework 2.2
>>>> No suitable address space mapping found
>>>> Tried to open image as:
>>>> LimeAddressSpace: lime: need base
>>>> WindowsHiberFileSpace32: No base Address Space
>>>> WindowsCrashDumpSpace64: No base Address Space
>>>> WindowsCrashDumpSpace32: No base Address Space
>>>> AMD64PagedMemory: No base Address Space
>>>> JKIA32PagedMemory: No base Address Space
>>>> IA32PagedMemoryPae: Module disabled
>>>> JKIA32PagedMemoryPae: No base Address Space
>>>> IA32PagedMemory: Module disabled
>>>> LimeAddressSpace: Invalid Lime header signature
>>>> WindowsHiberFileSpace32: No xpress signature found
>>>> WindowsCrashDumpSpace64: Header signature invalid
>>>> WindowsCrashDumpSpace32: Header signature invalid
>>>> AMD64PagedMemory: Incompatible profile Win2003SP0x86 selected
>>>> JKIA32PagedMemory: No valid DTB found
>>>> IA32PagedMemoryPae: Module disabled
>>>> JKIA32PagedMemoryPae: No valid DTB found
>>>> IA32PagedMemory: Module disabled
>>>> FileAddressSpace: Must be first Address Space
>>>>
>>>>
>>>> -----
>>>>
>>>> Thanks for any help you might be able to offer.
>>>>
>>>> -David
>>>>
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users(a)volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
>
>
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92