Re: [Vol-users] Unexpected results
22 Apr
2014
22 Apr
'14
2:36 p.m.
This happens quite often with x64 systems, large memory, and DumpIt. I’m sad to say the
image was probably corrupted during acquisition, but you can test by acquiring with
another tool or by loading your current memory dump in another analysis framework like
Redline to see if it can recognize anything.
Also, you can probably use psscan to get a partial list of processes by scanning. My guess
is that some page(s) that are required for traversing the linked list of processes were
not acquired properly.
Hope this helps,
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
On Apr 22, 2014, at 11:14 AM, Lay, James <james.lay(a)wincofoods.com> wrote:
Hey all,
So...Win 7 SP1 64 bit..here's what I got:
vol.py -f bleh-20140421-203458.raw imageinfo
Volatility Foundation Volatility Framework 2.3.1
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64,
Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/bleh/bleh-20140421-203458.raw)
PAE type : No PAE
DTB : 0x187000L
vol.py --profile Win7SP1x64 -f bleh-20140421-203458.raw pslist
Volatility Foundation Volatility Framework 2.3.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------
------------------------------ ------------------------------
0xfffffa80066b8040 5??b 32...4 79...2 14...6 -------- ------ 1
3302-11-11 21:17:40 UTC+0000
And that's it. This was dumped using DumpIt. Is there something I'm missing?
My process:
wget latest volatility
python setup.py build
sudo python setup.py install
then the above commands. Thanks for any assistance.
James
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- signature.asc (application/pgp-signature — 236 bytes)