Re: [Vol-users] diagnose problematic ram dump?
Dewhirst, Rob
6 Nov
2013
6 Nov
'13
12:20 p.m.
kdbgscan had no results. When we acquired we used the default mode -
winpmem.exe file.raw
I can probably share this 5GB dump with individuals if that helps, so
long as it doesn't end up in some public corpus.
On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette(a)gmail.com> wrote:
Hi Rob,
It looks to me like volatility can not find the correct kdbg
location. Can you please also try the kdbgscan module? When you
acquired the image did you use the default mode ("physical" - maps
\\.\PhysicalMemory device)?
Thanks
Michael.