Re: [Vol-users] Shimcache plugin - no entries

On Tue, May 31, 2016 at 4:29 PM, Bridgey theGeek <bridgeythegeek(a)gmail.com> wrote: Hi Erika, Which version of Windows are you analysing? You say 'psscan' returns no results, how about pslist and psxview? I would agree that psscan finding nothing is odd. And how was the image acquired? Let us know! Adam > On 31 May 2016 at 21:38, Erika Noerenberg <erika.noerenberg(a)gmail.com> wrote: > Hello all, > > I am analyzing a memory dump and looking at execution in a period of known bad activity, and have been able to gather quite a bit of information using volatility. For some reason though, shimcache and psscan return no results, although all the other plugins I've run (and volshell) have worked fine. I find it hard to believe that psscan for one can find no _EPROCESS structures, so I'm not sure what's happening. Also, in the results from the timeliner, I have several entries with blank shimcache entries like "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate with shimcache entries on disk, so I know something is just not being picked up. > > Any ideas on why shimcache/psscan would produce no results? I'm not sure about the best way to track down the reason. > > Thanks! > Erika > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users