The tool the IH used in this instance was Cyber Marshal's wmr (http://cybermarshal.com/index.php/cyber-marshal-utilities/windows-memory-reader).I've looked at dumps created by this tool in the past and this type of output/behavior wasn't observed.--On Fri, Jun 7, 2013 at 12:51 PM, Jesse Bowling <jessebowling@gmail.com> wrote:
I've had bad memory captures look a bit like this...Can you share what tool was used to collect the memory image?
Cheers,
JesseOn Fri, Jun 7, 2013 at 12:04 PM, Glenn Edwards <hiddenillusion@gmail.com> wrote:_______________________________________________Background: The user logged off (I know, I know) of the system (WinXP) and the first responder logged back in under a different user and took the memory dump.When running pslist against the memory dump there're 2,423 entries. I'm seeing a lot of entries where the process starts and exits - sometimes in a row:0x89b3f868 userinit.exe 3808 548 0 -------- 0 0 2013-05-26 10:00:10 UTC+0000 2013-05-26 10:00:10 UTC+00000x89b89ad0 userinit.exe 3156 548 0 -------- 0 0 2013-05-26 10:00:28 UTC+0000 2013-05-26 10:00:28 UTC+00000x89b2a868 userinit.exe 3672 548 0 -------- 0 0 2013-05-26 11:30:11 UTC+0000 2013-05-26 11:30:11 UTC+00000x89afc020 userinit.exe 3388 548 0 -------- 0 0 2013-05-26 12:41:44 UTC+0000 2013-05-26 12:41:44 UTC+00000x89b49da0 userinit.exe 1336 548 0 -------- 0 0 2013-05-26 13:22:13 UTC+0000 2013-05-26 13:22:13 UTC+0000and sometimes more spread out:0x89c1da98 java.exe 4536 1368 0 -------- 0 0 2013-06-01 01:23:35 UTC+0000 2013-06-01 01:26:15 UTC+00000x89141020 cscript.exe 8608 4536 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:24:14 UTC+00000x89142da0 wmiprvse.exe 3152 832 0 -------- 0 0 2013-06-01 01:24:12 UTC+0000 2013-06-01 01:25:42 UTC+00000x89144ac0 minituner.exe 1120 1368 0 -------- 0 0 2013-06-01 01:26:15 UTC+0000 2013-06-01 01:37:41 UTC+00000x8934d520 java.exe 9148 1368 0 -------- 0 0 2013-06-01 01:37:41 UTC+0000 2013-06-01 01:43:54 UTC+00000x8934e020 cscript.exe 7620 9148 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:42:53 UTC+00000x895423b8 wmiprvse.exe 3664 832 0 -------- 0 0 2013-06-01 01:42:51 UTC+0000 2013-06-01 01:44:21 UTC+00000x895ce8a0 minituner.exe 9940 1368 0 -------- 0 0 2013-06-01 01:43:54 UTC+0000 2013-06-01 01:51:47 UTC+00000x893a3838 java.exe 4572 1368 0 -------- 0 0 2013-06-01 01:51:47 UTC+0000 2013-06-01 01:59:58 UTC+0000Example of top processes by overall count of occurrence:$ cat pslist.txt | awk '{print $2}' | sort | uniq -c | sort -nr364 java.exe362 minituner.exe335 userinit.exe301 wmiprvse.exe219 cscript.exe192 verclsid.exe91 wuauclt.exe37 regsvr32.exe34 winlogon.exe34 csrss.exe[snip]I've never come across this before so I'm wondering if this could be attributed to the first responder not letting the system fully log them on prior to taking the memory dump and therefore there was a lot of still loading processes observed?--Glenn Edwards
@hiddenillusion
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jesse Bowling
Glenn Edwards
@hiddenillusion
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users