Re: [Vol-users] Unexpected results
22 Apr
2014
22 Apr
'14
2:58 p.m.
Yeah, that is unfortunate. I’d still recommend trying Redline just to prove that its not a
Volatility bug. You may have better luck with DumpIt 2.0 (unless that’s what you’re
already using). The only tool we’ve seen consistently work is KntDD
(http://www.gmgsystemsinc.com/knttools) but its not free (not expensive either, but just
letting you know). Yes, feel free to email me off-list with whatever questions you have.
MHL
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
On Apr 22, 2014, at 1:41 PM, Lay, James <james.lay(a)wincofoods.com> wrote:
Well shoot...yea psscan got me nothing either. So to
prevent this in
the future, what app are people using on 64 bit Windows and 8 gigs of
ram? Also, Michael can I contact you off list for a non-volatility
mailing list admin type question? Thank you.
James
-----Original Message-----
From: Michael Ligh [mailto:michael.ligh@mnin.org]
Sent: Tuesday, April 22, 2014 12:37 PM
To: Lay, James
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Unexpected results
This happens quite often with x64 systems, large memory, and DumpIt. I'm
sad to say the image was probably corrupted during acquisition, but you
can test by acquiring with another tool or by loading your current
memory dump in another analysis framework like Redline to see if it can
recognize anything.
Also, you can probably use psscan to get a partial list of processes by
scanning. My guess is that some page(s) that are required for traversing
the linked list of processes were not acquired properly.
Hope this helps,
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
On Apr 22, 2014, at 11:14 AM, Lay, James <james.lay(a)wincofoods.com>
wrote:
Hey all,
So...Win 7 SP1 64 bit..here's what I got:
vol.py -f bleh-20140421-203458.raw imageinfo Volatility Foundation
Volatility Framework 2.3.1 Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64,
Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory
(Kernel AS)
AS Layer2 : FileAddressSpace
(/home/bleh/bleh-20140421-203458.raw)
PAE type : No PAE
DTB : 0x187000L
vol.py --profile Win7SP1x64 -f bleh-20140421-203458.raw pslist
Volatility Foundation Volatility Framework 2.3.1
Offset(V) Name PID PPID Thds Hnds
Sess Wow64
Start Exit
------------------ -------------------- ------
------ ------ --------
------ ------ ------------------------------
------------------------------
0xfffffa80066b8040 5??b 32...4
79...2 14...6 --------
------ 1 3302-11-11
21:17:40
UTC+0000
And that's it. This was dumped using DumpIt. Is there something I'm
missing? My process:
wget latest volatility
python setup.py build
sudo python setup.py install
then the above commands. Thanks for any assistance.
James
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- signature.asc (application/pgp-signature — 236 bytes)