2:34 p.m.
Hi all,
I'm definitely still learning with memory forensics, but I can't get my
head around this one.
I created a Virtualbox VM of Win7SP1x86 with 512MB RAM.
I disabled the pagefile - confirmed with reboot that pagefile.sys
disappeared.
I disabled pae - confirmed with reboot followed by: wcim os get
PAEEnabled, returned FALSE.
I then used:
vboxmanage debugvm "Win7" dumpguestcore --filename test.elf
to grab the ELF64 dump.
This file is: 569.5MB
I then used:
python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw
test.raw is: 4.0GB
Given that pae is off and pagefile.sys is off, where has the extra data
come from?!
I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB,
but where has the extra data come from?
Is it all going to be 0-padded or have I done something wrong somewhere?!
Any clues, tips, links to read, and flames welcome.
Adam
--
If you like, we could go PGP..?
3:26 p.m.
New subject: Newbie Question: How did 512MB become 4GB? (no pagefile, no pae)
Hey Adam,
Try running the vboxinfo plugin on your .elf file and look at the memory
segmentation. Most likely you will see a range starting at 0xE0000000 which
is for the virtualbox hardware device memory (vga, pci, etc). The imagecopy
plugin will 0-pad your raw dump to be large enough to include those memory
segments. This won't happen when you convert formats like crash, hiber, etc
into raw because those don't contain the hardware memory ranges to begin
with. A bit more info is in the meta-data section of
https://code.google.com/p/volatility/wiki/VirtualBoxCoreDump.
Hope this helps,
MHL
On Wed, Aug 28, 2013 at 2:34 PM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:
Hi all,
I'm definitely still learning with memory forensics, but I can't get my
head around this one.
I created a Virtualbox VM of Win7SP1x86 with 512MB RAM.
I disabled the pagefile - confirmed with reboot that pagefile.sys
disappeared.
I disabled pae - confirmed with reboot followed by: wcim os get
PAEEnabled, returned FALSE.
I then used:
vboxmanage debugvm "Win7" dumpguestcore --filename test.elf
to grab the ELF64 dump.
This file is: 569.5MB
I then used:
python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw
test.raw is: 4.0GB
Given that pae is off and pagefile.sys is off, where has the extra data
come from?!
I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB,
but where has the extra data come from?
Is it all going to be 0-padded or have I done something wrong somewhere?!
Any clues, tips, links to read, and flames welcome.
Adam
--
If you like, we could go PGP..?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4:41 p.m.
New subject: Newbie Question: How did 512MB become 4GB? (no pagefile, no pae)
Thanks so much for the comments.
The padding to take in the hardware device memory makes sense.
~/dev/volatility-svn $ python vol.py -f ~/memtest/win7.elf vboxinfo
Volatile Systems Volatility Framework 2.3_beta
Magic: 0xc01ac0de
Format: 0x10000
VirtualBox 4.2.12 (revision 84980)
CPUs: 1
File Offset Memory Offset Size
----------- ------------- ----------
0x0000006f0 0x00000000000 0x20000000
0x0200006f0 0x000e0000000 0x01200000 <-- This one [1]?
0x0212006f0 0x000f0000000 0x00400000 <-- Or maybe this one [2]?
0x0216006f0 0x000f0400000 0x00004000
0x0216046f0 0x000ffff0000 0x00010000
(Yes, this is a different elf file. I redid my process to check - same
result.)
From reading Teuwen's personal wiki, I can see that
I could rip out just
the system RAM.
For those that are wondering, yes, I do know that I can use the elf file
directly in 2.3_beta.
I was just wondering - 4GB seemed a suspiciously round number.
Thanks again. I'll continue to play.
Adam
On 28/08/13 20:26, Michael Hale Ligh wrote:
Hey Adam,
Try running the vboxinfo plugin on your .elf file and look at the
memory segmentation. Most likely you will see a range starting at
0xE0000000 which is for the virtualbox hardware device memory (vga,
pci, etc). The imagecopy plugin will 0-pad your raw dump to be large
enough to include those memory segments. This won't happen when you
convert formats like crash, hiber, etc into raw because those don't
contain the hardware memory ranges to begin with. A bit more info is
in the meta-data section
of https://code.google.com/p/volatility/wiki/VirtualBoxCoreDump.
Hope this helps,
MHL
On Wed, Aug 28, 2013 at 2:34 PM, Adam Bridge <adam.bridge(a)yahoo.com
<mailto:adam.bridge@yahoo.com>> wrote:
Hi all,
I'm definitely still learning with memory forensics, but I can't
get my
head around this one.
I created a Virtualbox VM of Win7SP1x86 with 512MB RAM.
I disabled the pagefile - confirmed with reboot that pagefile.sys
disappeared.
I disabled pae - confirmed with reboot followed by: wcim os get
PAEEnabled, returned FALSE.
I then used:
vboxmanage debugvm "Win7" dumpguestcore --filename test.elf
to grab the ELF64 dump.
This file is: 569.5MB
I then used:
python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw
test.raw is: 4.0GB
Given that pae is off and pagefile.sys is off, where has the extra
data
come from?!
I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB,
but where has the extra data come from?
Is it all going to be 0-padded or have I done something wrong
somewhere?!
Any clues, tips, links to read, and flames welcome.
Adam
--
If you like, we could go PGP..?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org <mailto:Vol-users@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
If you like, we could go PGP..?
4:56 p.m.
New subject: Newbie Question: How did 512MB become 4GB? (no pagefile, no pae)
Yep, you could even just do something like:
$ dd if=win7.elf of=raw.mem bs=512 count=1048576 (where 1048576 =
0x20000000 / 512)
...if of course you only wanted main memory. You could also short circuit
the loop in the VirtualBoxCoreDumpElf64 address space where it builds the
runs and only keep the first one.
MHL
On Wed, Aug 28, 2013 at 4:41 PM, Adam Bridge <adam.bridge(a)yahoo.com> wrote:
Thanks so much for the comments.
The padding to take in the hardware device memory makes sense.
~/dev/volatility-svn $ python vol.py -f ~/memtest/win7.elf vboxinfo
Volatile Systems Volatility Framework 2.3_beta
Magic: 0xc01ac0de
Format: 0x10000
VirtualBox 4.2.12 (revision 84980)
CPUs: 1
File Offset Memory Offset Size
----------- ------------- ----------
0x0000006f0 0x00000000000 0x20000000
0x0200006f0 0x000e0000000 0x01200000 <-- This one [1]?
0x0212006f0 0x000f0000000 0x00400000 <-- Or maybe this one [2]?
0x0216006f0 0x000f0400000 0x00004000
0x0216046f0 0x000ffff0000 0x00010000
(Yes, this is a different elf file. I redid my process to check - same
result.)
From reading Teuwen's personal wiki, I can see that I could rip out just
the system RAM.
For those that are wondering, yes, I do know that I can use the elf file
directly in 2.3_beta.
I was just wondering - 4GB seemed a suspiciously round number.
Thanks again. I'll continue to play.
Adam
On 28/08/13 20:26, Michael Hale Ligh wrote:
Hey Adam,
Try running the vboxinfo plugin on your .elf file and look at the memory
segmentation. Most likely you will see a range starting at 0xE0000000 which
is for the virtualbox hardware device memory (vga, pci, etc). The imagecopy
plugin will 0-pad your raw dump to be large enough to include those memory
segments. This won't happen when you convert formats like crash, hiber, etc
into raw because those don't contain the hardware memory ranges to begin
with. A bit more info is in the meta-data section of
https://code.google.com/p/volatility/wiki/VirtualBoxCoreDump.
Hope this helps,
MHL
On Wed, Aug 28, 2013 at 2:34 PM, Adam Bridge <adam.bridge(a)yahoo.com>wrote:
Hi all,
I'm definitely still learning with memory forensics, but I can't get my
head around this one.
I created a Virtualbox VM of Win7SP1x86 with 512MB RAM.
I disabled the pagefile - confirmed with reboot that pagefile.sys
disappeared.
I disabled pae - confirmed with reboot followed by: wcim os get
PAEEnabled, returned FALSE.
I then used:
vboxmanage debugvm "Win7" dumpguestcore --filename test.elf
to grab the ELF64 dump.
This file is: 569.5MB
I then used:
python vol.py -f test.elf --profile=Win7SP1x86 imagecopy -O test.raw
test.raw is: 4.0GB
Given that pae is off and pagefile.sys is off, where has the extra data
come from?!
I get that in 32-bit, we can represent up to 0xFFFFFFFF (2^32) = 4GB,
but where has the extra data come from?
Is it all going to be 0-padded or have I done something wrong somewhere?!
Any clues, tips, links to read, and flames welcome.
Adam
--
If you like, we could go PGP..?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
If you like, we could go PGP..?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4096
days inactive
4096
days old
vol-users@lists.volatilityfoundation.org
3 comments
2 participants
participants (2)
-
Adam Bridge -
Michael Hale Ligh