Jamie,
I was wondering if it was a rehash of that thread as well.
Judging from another image from the same collection, they used FTK Imager.
hivelist fails:
Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 hivelist -f *.mem
Volatile Systems Volatility Framework 2.3_alpha
Virtual Physical Name
------------------ ------------------ ----
Praha:Memory Image kovar$
Also, it is a 9.6GB image.
-David
On Feb 19, 2013, at 8:15 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
hrmmm I wonder if this might be a replay of this
thread:
http://lists.volatilityfoundation.org/pipermail/vol-users/2012-August/00057…
We can try to see if the registry stuff still works.
Can you try hivelist and see if that works? If so, please try to
print out the services key and then maybe we'll get a clue as to how
it was acquired.
$ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
"currentcontrolset"
^ get the current control set
and then:
$ python vol.py -f [sample] --profile=Win7SP1x64 printkey -K
"ControlSet001\Services"
^ replace "ControlSet001" with the current control set if it differs
Of course it is possible that this won't work either, or keys might be
missing, but it's worth a try.
On Mon, Feb 18, 2013 at 5:23 PM, David Kovar <dkovar(a)gmail.com> wrote:
Jamie,
Alas, no info on the acquisition process.
Both psscan and modscan fail to complete as well:
Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 psscan -f *.mem
Volatile Systems Volatility Framework 2.3_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
------------------ ---------------- ------ ------ ------------------ --------------------
--------------------
Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 modscan -f *.mem
Volatile Systems Volatility Framework 2.3_alpha
Offset(P) Name Base Size File
------------------ -------------------- ------------------ ------------------ ----
0x000000000339e4c1 0x0000304b8b48ffad 0x82d5e800
Same behavior for netscan....
-David
On Feb 18, 2013, at 4:08 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
How was this sample acquired? Have you tried
running any other
plugins, like psscan or modscan on it? It's interesting because some
information is populating correctly there but you have no processes or
modules.... Try psscan and modscan and let us know what happens.
On Mon, Feb 18, 2013 at 4:53 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
I'm unable to run scan tasks against a memory image and get "AttributeError:
Could not list tasks, please verify your --profile with kdbgscan". I'm using
2.3_alpha updated just a moment ago.
imageinfo:
Suggested Profile(s) : Win7SP0x64, Win7SP1x64, Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/usr/local/malware/XXXXXXX/XXXX-memdump.mem)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf80002ff70a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xf80002ff8d00
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2013-02-01 17:40:54 UTC+0000
Image local date and time : 2013-02-01 09:40:54 -0800
kdbgscan:
Praha:Memory Image kovar$ vol.py --profile=Win7SP1x64 kdbgscan -f *.mem
Volatile Systems Volatility Framework 2.3_alpha
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP0x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80002ff70a0
Offset (P) : 0x2ff70a0
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
Version64 : 0xf80002ff7068 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.17944.amd64fre.win7sp1_gdr.
PsActiveProcessHead : 0xf8000302d370 (0 processes)
PsLoadedModuleList : 0xf8000304b670 (0 modules)
KernelBase : 0xfffff80002e07000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xf80002ff8d00 (CPU 0)
Thanks for any help you might be able to offer.
-David
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92