Hi Erika,

Which version of Windows are you analysing?

You say 'psscan' returns no results, how about pslist and psxview?

I would agree that psscan finding nothing is odd.

And how was the image acquired?

Let us know!

Adam

On 31 May 2016 at 21:38, Erika Noerenberg <erika.noerenberg@gmail.com> wrote:

Hello all,

I am analyzing a memory dump and looking at execution in a period of known bad activity, and have been able to gather quite a bit of information using volatility. For some reason though, shimcache and psscan return no results, although all the other plugins I've run (and volshell) have worked fine. I find it hard to believe that psscan for one can find no _EPROCESS structures, so I'm not sure what's happening. Also, in the results from the timeliner, I have several entries with blank shimcache entries like "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate with shimcache entries on disk, so I know something is just not being picked up.

Any ideas on why shimcache/psscan would produce no results? I'm not sure about the best way to track down the reason.

Thanks!
Erika

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users