Re: [Vol-users] Shimcache plugin - no entries

Hello all, I am analyzing a memory dump and looking at execution in a period of known bad activity, and have been able to gather quite a bit of information using volatility. For some reason though, shimcache and psscan return no results, although all the other plugins I've run (and volshell) have worked fine. I find it hard to believe that psscan for one can find no _EPROCESS structures, so I'm not sure what's happening. Also, in the results from the timeliner, I have several entries with blank shimcache entries like "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate with shimcache entries on disk, so I know something is just not being picked up. Any ideas on why shimcache/psscan would produce no results? I'm not sure about the best way to track down the reason. Thanks! Erika _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users