[Vol-users] Problem with Windows 10 analysis

24 Jun 2016

      Hi,

I've a problem with an image from a Microsoft Surface tablet.
I've verified that the OS is Windows 10 Pro 64Bit, and "imageinfo" confirms

that:

          Suggested Profile(s) : Win10x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/srv/evidence/memdump.mem)
                      PAE type : No PAE
                           DTB : 0x1ab000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2016-06-16 12:52:11 CEST+0200
     Image local date and time : 2016-06-16 12:52:11 +0200

However, all comands take hours to complete, imageinfo took about an hour, 
kdbgscan was closer to 10 hours (I let it run through the night).

$ ./vol.py --tz=CET --profile=Win10x64  -f /srv/evidence//memdump.mem kdbgscan
Volatility Foundation Volatility Framework 2.5
**************************************************
Instantiating KDBG using: Unnamed AS Win10x64 (6.4.9841 64bit)
Offset (V)                    : 0xf8033cb38a60
Offset (P)                    : 0x268d38a60
KdCopyDataBlock (V)           : 0xf8033c9965d0
Block encoded                 : Yes
Wait never                    : 0x1d323b0baac9580
Wait always                   : 0xf0e3591e003a646a
KDBG owner tag check          : False
Profile suggestion (KDBGHeader): Win10x64
Service Pack (CmNtCSDVersion) : -
Build string (NtBuildLab)     : -
PsActiveProcessHead           : 0xb276fbddbd63c845 (0 processes)
PsLoadedModuleList            : 0xf249d7ddbd63c805 (0 modules)
KernelBase                    : 0xfe52e3ddbd63c885 (Matches MZ: False)
Major (OptionalHeader)        : -
Minor (OptionalHeader)        : -

**************************************************
Instantiating KDBG using: Unnamed AS Win10x64 (6.4.9841 64bit)
Offset (V)                    : 0xf8033cb38a60
Offset (P)                    : 0x268d38a60
KdCopyDataBlock (V)           : 0xf8033ca31a14
Block encoded                 : Yes
Wait never                    : 0xf0e3591e003a646a
Wait always                   : 0x1d323b0baac9580
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64
Version64                     : 0xf8033cb38dc0 (Major: 15, Minor: 10586)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 10586.306.amd64fre.th2_release_s
PsActiveProcessHead           : 0xfffff8033cb4d160 (91 processes)
PsLoadedModuleList            : 0xfffff8033cb52cd0 (202 modules)
KernelBase                    : 0xfffff8033c874000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff8033cb91000 (CPU 0)
KPCR                          : 0xffffd001cc54a000 (CPU 1)
KPCR                          : 0xffffd001cc5c9000 (CPU 2)
KPCR                          : 0xffffd001cc648000 (CPU 3)

I think the later part is the right one, but when I run pslist with the value 
for
KdCopyDataBlock, I get something like this, using other options/values simply 
gives
empty output.

$ ./vol.py --tz=CET --profile=Win10x64 -f /srv/evidence/memdump.mem 
  --kdbg=0xf8033ca31a14 psscan
Volatility Foundation Volatility Framework 2.5
Offset(P)          Name                PID   PPID PDB                Time 
created                   Time exited                   
------------------ ---------------- ------ ------ ------------------ 
------------------------------ ------------------------------
0x0000c001edeb7bce                  42...2 23...8 0x6b76ffffffd80000                      

5914-08-12 10:20:02 CET+0100  
0x0000c001eed47b6e o                42...2 57...7 0x2b30fffffff00000                      

9767-04-28 16:32:54 CET+0100  
0x0000e00087491680                       4      0 0x00000000001ab000 
2016-06-06 18:03:31 CEST+0200                                
0x0000e0008765d7c0 0??               3600   3524 0x000000017ccc3000 2016-06-06 
18:03:44 CEST+0200                                
0x0000e000876657c0 ??e?               3608   3600 0x000000017ccf8000 
2016-06-06 18:03:44 CEST+0200                                
0x0000e00087f73080                    7200   4812 0x00000001cbc8e000 
2016-06-07 23:07:21 CEST+0200                                
0x0000e000897597c0 ??s?                372      4 0x0000000250219000 
2016-06-06 18:03:31 CEST+0200                                
0x0000e0008a27f7c0                    6012   5208 0x0000000200ad7000 
2016-06-06 18:13:22 CEST+0200                                
0x0000e0008a2c45c0  ?;?               6088    700 0x00000001f4eeb000 
2016-06-06 18:10:22 CEST+0200                                
0x0000e0008a3067c0                    4260   6572 0x00000001edf60000 
2016-06-06 23:16:37 CEST+0200                                
0x0000e0008cbc67c0 P???               2564    700 0x0000000173299000 
2016-06-06 18:03:41 CEST+0200                                
0x0000e0008cf997c0 ??|?               2780    700 0x000000013a0e0000 
2016-06-06 18:03:41 CEST+0200                                

I can't say wether the addresses and pids (the first two ones look bad) are 
correct, but the process name field surely does not look good. Any ideas?

Best regards,
		Klaus Möller, DFN-CERT

-- 
Dipl. Inform. Klaus Moeller (Consulting Analysis Training Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556

DFN-CERT Services GmbH, https://www.dfn-cert.de/, Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Wir sind auf der it-sa: 18.-20.10.2016               http://www.it-sa.de

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[Vol-users] Problem with Windows 10 analysis