Rob,

I have looked at your dump and found a weird thing. Your memory dump seems to be bigger than it should be.

The memory range of your dump is

Start	End
0x1000	0x9F000
0x100000	0xCFDFF000
0x100000000	0x128000000

So the total size of memory dump should be 4 966 055 936 bytes (i.e: 0x128000000).

However, the size of your memory dump is 4 967 100 416 bytes.

Maybe I'm missing something but it seems that Rob's memory dump have 1020KB more data in it (i.e: 1 044 480 bytes)...

Any ideas why? Could it be an ASCII FTP transfer problem?

Sebastien

On Wed, Nov 6, 2013 at 12:20 PM, Dewhirst, Rob <robdewhirst@gmail.com> wrote:

kdbgscan had no results. When we acquired we used the default mode -
winpmem.exe file.raw

I can probably share this 5GB dump with individuals if that helps, so
long as it doesn't end up in some public corpus.

On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette@gmail.com> wrote:
> Hi Rob,
> It looks to me like volatility can not find the correct kdbg
> location. Can you please also try the kdbgscan module? When you
> acquired the image did you use the default mode ("physical" - maps
> \\.\PhysicalMemory device)?
>
> Thanks
> Michael.
_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users