Another few suggestions: <div><br></div><div>* If you&#39;re using Yara with Malfind, you&#39;re probably using an old version of Volatility. Since 2.1, Malfind no longer has anything to do with Yara - there&#39;s a separate YaraScan plugin that you should use instead [1]</div>
<div><br></div><div>* When you use YaraScan, make sure to try scanning in both usermode (process memory) and kernel mode (there are different switches, see the [1] reference)</div><div><br></div><div>* When you create the Yara rules, make sure you indicate &quot;wide&quot; if the string is unicode </div>
<div><br></div><div>MHL</div><div><br></div><div><br></div><div>[1] <a href="http://code.google.com/p/volatility/wiki/CommandReference22#yarascan">http://code.google.com/p/volatility/wiki/CommandReference22#yarascan</a><br>
<br><div class="gmail_quote">On Mon, Sep 17, 2012 at 11:36 AM, Jamie Levy <span dir="ltr">&lt;<a href="mailto:jamie.levy@gmail.com" target="_blank">jamie.levy@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Have you tried the strings plugin?<br>
<br>
<a href="http://code.google.com/p/volatility/wiki/CommandReference22#strings" target="_blank">http://code.google.com/p/volatility/wiki/CommandReference22#strings</a><br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Mon, Sep 17, 2012 at 8:37 AM, David Bramer &lt;<a href="mailto:david.bramer@gmail.com">david.bramer@gmail.com</a>&gt; wrote:<br>
&gt; Hi,<br>
&gt;<br>
&gt; Have a memory dump which I have obtained via DumpIt, I&#39;m then pretty<br>
&gt; happy and can use Volatility to find out some of the answers to my<br>
&gt; questions. However when I have run Strings on the memory dump I find a<br>
&gt; string of great interest. I would like to figure out a means by which<br>
&gt; I could find out what created this string.<br>
&gt;<br>
&gt; So far I&#39;ve created a basic Yara rule and used malfind to no avail. Is<br>
&gt; there anything else I could try?<br>
&gt;<br>
&gt; Cheers<br>
&gt;<br>
&gt; David<br>
&gt; _______________________________________________<br>
&gt; Vol-users mailing list<br>
&gt; <a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
&gt; <a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Vol-users mailing list<br>
<a href="mailto:Vol-users@volatilityfoundation.org">Vol-users@volatilesystems.com</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-users</a><br>
</div></div></blockquote></div><br></div>