4:18 p.m.
Hey all,
So we're moving to Windows 7 (64-bit) in our environment, and our
current method of getting memory images off of machines has changed.
So we're using EnCase Enterprise to grab memory dumps. Then what I've
been doing is using FTK Imager to convert that to a DD image, and we
run it through our regular tool. I run the same DD image through
Volatility. I'm running Volatility on OS X Lion.
Recently, I've noticed when I'm just doing an imageinfo with
Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
So my first thought was is was an issue with converting an E01 to a DD
image. So I ran a test on a standard Windows 7 build in our
organization.
1) Do a memory collection with EnCase, convert to DD with FTK Imager
2) Do a memory collection with FDPro
3) Do a memory collection with DumpIt
Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
code, and the results were the same with one exception. With the 2.0
code, and the DumpIt memory dump, I got the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
AS Layer1 : FileAddressSpace (memory.raw)
PAE type : No PAE
But if I try to run another command with --profile=Win7SP0x64 I get:
Volatile Systems Volatility Framework 2.0
ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
I'm just wondering if there's something funky with my Volatility
installation, or if there could be something I need to check in our 7
build that could be causing this.
Thanks ahead of time,
Tom
4:43 p.m.
Hi Tom,
Volatility 2.0 did not support x64 at all, despite its ability to identify
the image as Win7SP0x64. That's why you get "Invalid profile Win7SP0x64
selected" when using Volatility 2.0. So if you plan to analyze x64 you're
best bet is to check out the 2.1 alpha branch.
$ svn checkout https://volatility.googlecode.com/svn/trunk/volatility_21_alpha
You said below that you've already tried "imageinfo" on your Win7 x64 dump
with the 2.1 alpha branch, but I didn't see your output. Could you try
these few commands and paste the results?
$ python vol.py -f memory.raw imageinfo
$ python vol.py -f memory.raw pslist --profile=Win7SP0x64
Note that "imageinfo" is one of the few commands that you do not need to
specify a profile. For most others you need to use --profile=Win7SP0x64.
Let us know if that helps?
MHL
On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
So we're moving to Windows 7 (64-bit) in our environment, and our
current method of getting memory images off of machines has changed.
So we're using EnCase Enterprise to grab memory dumps. Then what I've
been doing is using FTK Imager to convert that to a DD image, and we
run it through our regular tool. I run the same DD image through
Volatility. I'm running Volatility on OS X Lion.
Recently, I've noticed when I'm just doing an imageinfo with
Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no
profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
So my first thought was is was an issue with converting an E01 to a DD
image. So I ran a test on a standard Windows 7 build in our
organization.
1) Do a memory collection with EnCase, convert to DD with FTK Imager
2) Do a memory collection with FDPro
3) Do a memory collection with DumpIt
Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
code, and the results were the same with one exception. With the 2.0
code, and the DumpIt memory dump, I got the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
AS Layer1 : FileAddressSpace (memory.raw)
PAE type : No PAE
But if I try to run another command with --profile=Win7SP0x64 I get:
Volatile Systems Volatility Framework 2.0
ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
I'm just wondering if there's something funky with my Volatility
installation, or if there could be something I need to check in our 7
build that could be causing this.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:20 p.m.
MHL,
Sorry I got the same output with both the 2.0 stable and the 2.1 alpha branches.
However, I just ran the imageinfo of the DumpIt DD image on the 2.1
alpha branch, and I did get output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64,
Win2008R2SP1x64, Win2008R2SP0x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (memory.raw)
PAE type : PAE
DTB : 0x187000
KDBG : 0xf80002bfe0a0
KPCR : 0xffdff000
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-07 15:59:22
Image local date and time : 2012-03-07 15:59:22
Number of Processors : 4
Image Type : Service Pack 1
So that worked. I'm trying it again with the FDPro dump, which is a
DD image dump as well. I'll reply back when I get results from that.
I'm guessing it should work but we'll see.
My guess (as someone else suggested to me) is I may need to collect
the memory dumps with EnCase without compression and then either mount
them with mount_ewf.py or convert them with FTK Imager and test that.
What's odd is I did a test on a Win7 64-bit machine I have at home
(E01->DD) and it worked fine.
Thanks,
Tom
On Wed, Mar 7, 2012 at 3:43 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hi Tom,
Volatility 2.0 did not support x64 at all, despite its ability to identify
the image as Win7SP0x64. That's why you get "Invalid profile Win7SP0x64
selected" when using Volatility 2.0. So if you plan to analyze x64 you're
best bet is to check out the 2.1 alpha branch.
$ svn checkout https://volatility.googlecode.com/svn/trunk/
volatility_21_alpha
You said below that you've already tried "imageinfo" on your Win7 x64 dump
with the 2.1 alpha branch, but I didn't see your output. Could you try these
few commands and paste the results?
$ python vol.py -f memory.raw imageinfo
$ python vol.py -f memory.raw pslist --profile=Win7SP0x64
Note that "imageinfo" is one of the few commands that you do not need to
specify a profile. For most others you need to use --profile=Win7SP0x64.
Let us know if that helps?
MHL
On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
So we're moving to Windows 7 (64-bit) in our environment, and our
current method of getting memory images off of machines has changed.
So we're using EnCase Enterprise to grab memory dumps. Then what I've
been doing is using FTK Imager to convert that to a DD image, and we
run it through our regular tool. I run the same DD image through
Volatility. I'm running Volatility on OS X Lion.
Recently, I've noticed when I'm just doing an imageinfo with
Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no
profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
So my first thought was is was an issue with converting an E01 to a DD
image. So I ran a test on a standard Windows 7 build in our
organization.
1) Do a memory collection with EnCase, convert to DD with FTK Imager
2) Do a memory collection with FDPro
3) Do a memory collection with DumpIt
Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
code, and the results were the same with one exception. With the 2.0
code, and the DumpIt memory dump, I got the following:
Volatile Systems Volatility Framework 2.0
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
AS Layer1 : FileAddressSpace (memory.raw)
PAE type : No PAE
But if I try to run another command with --profile=Win7SP0x64 I get:
Volatile Systems Volatility Framework 2.0
ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
I'm just wondering if there's something funky with my Volatility
installation, or if there could be something I need to check in our 7
build that could be causing this.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
9:37 a.m.
Ok an update....so I ran the FDPro dump against 2.1 alpha and I'm getting:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
Now what's odd is the FDPro output is a raw DD image. And I've run it
against XP machines without any problems in Volatility.
I also did what MHL suggested and ran:
python vol.py -f memory.bin --profile=Win7SP1x64 pslist
and got this (which I was expecting since I didn't get a "response"
from imageinfo):
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: No base address space provided
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
EWFAddressSpace: EWF signature not present
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: No valid DTB found
JKIA32PagedMemory: Incompatible profile Win7SP1x64 selected
JKIA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
I'm still going to run some other tests (standard Win7 image, run the
dumps through *nix "version" of Volatility, etc).
Tom
On Wed, Mar 7, 2012 at 4:20 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
MHL,
Sorry I got the same output with both the 2.0 stable and the 2.1 alpha branches.
However, I just ran the imageinfo of the DumpIt DD image on the 2.1
alpha branch, and I did get output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64,
Win2008R2SP1x64, Win2008R2SP0x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (memory.raw)
PAE type : PAE
DTB : 0x187000
KDBG : 0xf80002bfe0a0
KPCR : 0xffdff000
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-07 15:59:22
Image local date and time : 2012-03-07 15:59:22
Number of Processors : 4
Image Type : Service Pack 1
So that worked. I'm trying it again with the FDPro dump, which is a
DD image dump as well. I'll reply back when I get results from that.
I'm guessing it should work but we'll see.
My guess (as someone else suggested to me) is I may need to collect
the memory dumps with EnCase without compression and then either mount
them with mount_ewf.py or convert them with FTK Imager and test that.
What's odd is I did a test on a Win7 64-bit machine I have at home
(E01->DD) and it worked fine.
Thanks,
Tom
On Wed, Mar 7, 2012 at 3:43 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
> Hi Tom,
>
> Volatility 2.0 did not support x64 at all, despite its ability to identify
> the image as Win7SP0x64. That's why you get "Invalid profile Win7SP0x64
> selected" when using Volatility 2.0. So if you plan to analyze x64 you're
> best bet is to check out the 2.1 alpha branch.
>
> $ svn checkout https://volatility.googlecode.com/svn/trunk/
> volatility_21_alpha
>
> You said below that you've already tried "imageinfo" on your Win7 x64
dump
> with the 2.1 alpha branch, but I didn't see your output. Could you try these
> few commands and paste the results?
>
> $ python vol.py -f memory.raw imageinfo
>
> $ python vol.py -f memory.raw pslist --profile=Win7SP0x64
>
> Note that "imageinfo" is one of the few commands that you do not need to
> specify a profile. For most others you need to use --profile=Win7SP0x64.
>
> Let us know if that helps?
>
> MHL
>
> On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
>>
>> Hey all,
>> So we're moving to Windows 7 (64-bit) in our environment, and our
>> current method of getting memory images off of machines has changed.
>> So we're using EnCase Enterprise to grab memory dumps. Then what I've
>> been doing is using FTK Imager to convert that to a DD image, and we
>> run it through our regular tool. I run the same DD image through
>> Volatility. I'm running Volatility on OS X Lion.
>>
>> Recently, I've noticed when I'm just doing an imageinfo with
>> Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
>>
>>
>> Volatile Systems Volatility Framework 2.0
>> Determining profile based on KDBG search...
>>
>> Suggested Profile(s) : No suggestion (Instantiated with no
>> profile)
>> AS Layer1 : FileAddressSpace (memory.bin)
>> PAE type : No PAE
>>
>> So my first thought was is was an issue with converting an E01 to a DD
>> image. So I ran a test on a standard Windows 7 build in our
>> organization.
>>
>> 1) Do a memory collection with EnCase, convert to DD with FTK Imager
>> 2) Do a memory collection with FDPro
>> 3) Do a memory collection with DumpIt
>>
>> Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
>> code, and the results were the same with one exception. With the 2.0
>> code, and the DumpIt memory dump, I got the following:
>>
>>
>> Volatile Systems Volatility Framework 2.0
>> Determining profile based on KDBG search...
>>
>> Suggested Profile(s) : Win7SP0x64 (Instantiated with no profile)
>> AS Layer1 : FileAddressSpace (memory.raw)
>> PAE type : No PAE
>>
>> But if I try to run another command with --profile=Win7SP0x64 I get:
>>
>> Volatile Systems Volatility Framework 2.0
>> ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
>>
>> I'm just wondering if there's something funky with my Volatility
>> installation, or if there could be something I need to check in our 7
>> build that could be causing this.
>>
>> Thanks ahead of time,
>> Tom
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
12:26 p.m.
Hey Tom,
Thanks for the update and helping us investigate issues in the 2.1 alpha
branch. It sounds like DumpIt produces dumps from win7 x64 that work with
volatility, but FDPro does not -- even though FDPro produces dumps from xp
that work with volatility. Is that an accurate summary?
Did you run FDPro on the same machine as DumpIt?
Although both tools output a DD-style dump, the way they acquire the memory
to put in the dump is sometimes drastically different (for example FDPro
has the "smart" feature that probes pages back into RAM etc). So the
difference you're seeing is not totally surprising, but the question is -
can we figure out what's different in the FDPro dump and somehow account
for it.
If imageinfo says "no suggestions" its because the KDBG scan failed. I'd
like to find out if that's because volatility's KDBG scanner is flawed or
because the KDBG signatures are truly not present in the memory dump.
Hopefully you can use the attached yara ruleset (get yara from
http://code.google.com/p/yara-project/) for testing. Use it like this:
$ yara kdbg.yara memory.bin
My guess based on what I've heard is that you'll get results for the dump
produced by DumpIt but not dump produced by FDPro. Can you try that and let
us know...then we'll try and figure out the next steps? If the FDPro dump
doesn't contain a KDBG signature, we'll have to figure out if its an error
in FDPro (failed to acquire that segment) or an error in volatility
(perhaps we have an incorrect signature).
Thanks Tom!
MHL
On Thu, Mar 8, 2012 at 9:37 AM, Tom Yarrish <tom(a)yarrish.com> wrote:
Ok an update....so I ran the FDPro dump against 2.1
alpha and I'm getting:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no
profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
Now what's odd is the FDPro output is a raw DD image. And I've run it
against XP machines without any problems in Volatility.
I also did what MHL suggested and ran:
python vol.py -f memory.bin --profile=Win7SP1x64 pslist
and got this (which I was expecting since I didn't get a "response"
from imageinfo):
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: No base address space provided
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
EWFAddressSpace: EWF signature not present
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: No valid DTB found
JKIA32PagedMemory: Incompatible profile Win7SP1x64 selected
JKIA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
I'm still going to run some other tests (standard Win7 image, run the
dumps through *nix "version" of Volatility, etc).
Tom
On Wed, Mar 7, 2012 at 4:20 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
MHL,
Sorry I got the same output with both the 2.0 stable and the 2.1 alpha
branches.
However, I just ran the imageinfo of the DumpIt DD image on the 2.1
alpha branch, and I did get output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64,
Win2008R2SP1x64, Win2008R2SP0x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (memory.raw)
PAE type : PAE
DTB : 0x187000
KDBG : 0xf80002bfe0a0
KPCR : 0xffdff000
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-07 15:59:22
Image local date and time : 2012-03-07 15:59:22
Number of Processors : 4
Image Type : Service Pack 1
So that worked. I'm trying it again with the FDPro dump, which is a
DD image dump as well. I'll reply back when I get results from that.
I'm guessing it should work but we'll see.
My guess (as someone else suggested to me) is I may need to collect
the memory dumps with EnCase without compression and then either mount
them with mount_ewf.py or convert them with FTK Imager and test that.
What's odd is I did a test on a Win7 64-bit machine I have at home
(E01->DD) and it worked fine.
Thanks,
Tom
On Wed, Mar 7, 2012 at 3:43 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
> Hi Tom,
>
> Volatility 2.0 did not support x64 at all, despite its ability to
identify
> the image as Win7SP0x64. That's why you
get "Invalid profile Win7SP0x64
> selected" when using Volatility 2.0. So if you plan to analyze x64
you're
> best bet is to check out the 2.1 alpha
branch.
>
> $ svn checkout https://volatility.googlecode.com/svn/trunk/
> volatility_21_alpha
>
> You said below that you've already tried "imageinfo" on your Win7 x64
dump
> with the 2.1 alpha branch, but I didn't
see your output. Could you try
these
> few commands and paste the results?
>
> $ python vol.py -f memory.raw imageinfo
>
> $ python vol.py -f memory.raw pslist --profile=Win7SP0x64
>
> Note that "imageinfo" is one of the few commands that you do not need to
> specify a profile. For most others you need to use --profile=Win7SP0x64.
>
> Let us know if that helps?
>
> MHL
>
> On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
>>
>> Hey all,
>> So we're moving to Windows 7 (64-bit) in our environment, and our
>> current method of getting memory images off of machines has changed.
>> So we're using EnCase Enterprise to grab memory dumps. Then what I've
>> been doing is using FTK Imager to convert that to a DD image, and we
>> run it through our regular tool. I run the same DD image through
>> Volatility. I'm running Volatility on OS X Lion.
>>
>> Recently, I've noticed when I'm just doing an imageinfo with
>> Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
>>
>>
>> Volatile Systems Volatility Framework 2.0
>> Determining profile based on KDBG search...
>>
>> Suggested Profile(s) : No suggestion (Instantiated with no
>> profile)
>> AS Layer1 : FileAddressSpace (memory.bin)
>> PAE type : No PAE
>>
>> So my first thought was is was an issue with converting an E01 to a DD
>> image. So I ran a test on a standard Windows 7 build in our
>> organization.
>>
>> 1) Do a memory collection with EnCase, convert to DD with FTK Imager
>> 2) Do a memory collection with FDPro
>> 3) Do a memory collection with DumpIt
>>
>> Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
>> code, and the results were the same with one exception. With the 2.0
>> code, and the DumpIt memory dump, I got the following:
>>
>>
>> Volatile Systems Volatility Framework 2.0
>> Determining profile based on KDBG search...
>>
>> Suggested Profile(s) : Win7SP0x64 (Instantiated with no
profile)
>> AS Layer1 :
FileAddressSpace (memory.raw)
>> PAE type : No PAE
>>
>> But if I try to run another command with --profile=Win7SP0x64 I get:
>>
>> Volatile Systems Volatility Framework 2.0
>> ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
>>
>> I'm just wondering if there's something funky with my Volatility
>> installation, or if there could be something I need to check in our 7
>> build that could be causing this.
>>
>> Thanks ahead of time,
>> Tom
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
3:35 p.m.
MHL,
No problem, always happy to help.
Your summary is correct, I did here from someone else on the list that
FDPro does work with Windows 7 (32 and 64-bit) with the 2.1_alpha of
Volatility. So it may be how the Windows 7 box I'm using for testing
is configured. I'm going to fire up a Win7 VM that I have and run
FDPro against that and see what happens.
Yes I ran FDPro on the same machine as DumpIt. I'm doing all the
testing on the same Win7 machine, because it's a "corp" build and I
haven't made any changes to it (so it's as close to corp standard as I
can get).
I ran the yara test, and it went right back to a prompt. No output whatsoever.
Finally I did acquire the memory again with EnCase Enterprise, but set
it up for no compression. I converted it to a DD image with FTK
Imager (command line version in this case) and it worked perfectly.
So it looks like the EnCase problem is being caused by the compression
settings (which I guess makes sense when I think about it). I tested
that image against both OS X and Ubuntu (with 2.1_alpha).
Thanks,
Tom
On Thu, Mar 8, 2012 at 11:26 AM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hey Tom,
Thanks for the update and helping us investigate issues in the 2.1 alpha
branch. It sounds like DumpIt produces dumps from win7 x64 that work with
volatility, but FDPro does not -- even though FDPro produces dumps from xp
that work with volatility. Is that an accurate summary?
Did you run FDPro on the same machine as DumpIt?
Although both tools output a DD-style dump, the way they acquire the memory
to put in the dump is sometimes drastically different (for example FDPro has
the "smart" feature that probes pages back into RAM etc). So the difference
you're seeing is not totally surprising, but the question is - can we figure
out what's different in the FDPro dump and somehow account for it.
If imageinfo says "no suggestions" its because the KDBG scan failed. I'd
like to find out if that's because volatility's KDBG scanner is flawed or
because the KDBG signatures are truly not present in the memory dump.
Hopefully you can use the attached yara ruleset (get yara
from http://code.google.com/p/yara-project/) for testing. Use it like this:
$ yara kdbg.yara memory.bin
My guess based on what I've heard is that you'll get results for the dump
produced by DumpIt but not dump produced by FDPro. Can you try that and let
us know...then we'll try and figure out the next steps? If the FDPro dump
doesn't contain a KDBG signature, we'll have to figure out if its an error
in FDPro (failed to acquire that segment) or an error in volatility (perhaps
we have an incorrect signature).
Thanks Tom!
MHL
On Thu, Mar 8, 2012 at 9:37 AM, Tom Yarrish <tom(a)yarrish.com> wrote:
Ok an update....so I ran the FDPro dump against 2.1 alpha and I'm getting:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with no
profile)
AS Layer1 : FileAddressSpace (memory.bin)
PAE type : No PAE
Now what's odd is the FDPro output is a raw DD image. And I've run it
against XP machines without any problems in Volatility.
I also did what MHL suggested and ran:
python vol.py -f memory.bin --profile=Win7SP1x64 pslist
and got this (which I was expecting since I didn't get a "response"
from imageinfo):
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: No base address space provided
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
EWFAddressSpace: EWF signature not present
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: No valid DTB found
JKIA32PagedMemory: Incompatible profile Win7SP1x64 selected
JKIA32PagedMemoryPae: Incompatible profile Win7SP1x64 selected
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
I'm still going to run some other tests (standard Win7 image, run the
dumps through *nix "version" of Volatility, etc).
Tom
On Wed, Mar 7, 2012 at 4:20 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
> MHL,
> Sorry I got the same output with both the 2.0 stable and the 2.1 alpha
> branches.
>
> However, I just ran the imageinfo of the DumpIt DD image on the 2.1
> alpha branch, and I did get output:
>
> Volatile Systems Volatility Framework 2.1_alpha
> Determining profile based on KDBG search...
>
> Suggested Profile(s) : Win7SP1x64, Win7SP0x64,
> Win2008R2SP1x64, Win2008R2SP0x64
> AS Layer1 : AMD64PagedMemory (Kernel AS)
> AS Layer2 : FileAddressSpace (memory.raw)
> PAE type : PAE
> DTB : 0x187000
> KDBG : 0xf80002bfe0a0
> KPCR : 0xffdff000
> KUSER_SHARED_DATA : 0xfffff78000000000L
> Image date and time : 2012-03-07 15:59:22
> Image local date and time : 2012-03-07 15:59:22
> Number of Processors : 4
> Image Type : Service Pack 1
>
> So that worked. I'm trying it again with the FDPro dump, which is a
> DD image dump as well. I'll reply back when I get results from that.
> I'm guessing it should work but we'll see.
>
> My guess (as someone else suggested to me) is I may need to collect
> the memory dumps with EnCase without compression and then either mount
> them with mount_ewf.py or convert them with FTK Imager and test that.
> What's odd is I did a test on a Win7 64-bit machine I have at home
> (E01->DD) and it worked fine.
>
> Thanks,
> Tom
>
> On Wed, Mar 7, 2012 at 3:43 PM, Michael Hale Ligh
> <michael.hale(a)gmail.com> wrote:
>> Hi Tom,
>>
>> Volatility 2.0 did not support x64 at all, despite its ability to
>> identify
>> the image as Win7SP0x64. That's why you get "Invalid profile
Win7SP0x64
>> selected" when using Volatility 2.0. So if you plan to analyze x64
>> you're
>> best bet is to check out the 2.1 alpha branch.
>>
>> $ svn checkout https://volatility.googlecode.com/svn/trunk/
>> volatility_21_alpha
>>
>> You said below that you've already tried "imageinfo" on your Win7
x64
>> dump
>> with the 2.1 alpha branch, but I didn't see your output. Could you try
>> these
>> few commands and paste the results?
>>
>> $ python vol.py -f memory.raw imageinfo
>>
>> $ python vol.py -f memory.raw pslist --profile=Win7SP0x64
>>
>> Note that "imageinfo" is one of the few commands that you do not need
>> to
>> specify a profile. For most others you need to
>> use --profile=Win7SP0x64.
>>
>> Let us know if that helps?
>>
>> MHL
>>
>> On Wed, Mar 7, 2012 at 4:18 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
>>>
>>> Hey all,
>>> So we're moving to Windows 7 (64-bit) in our environment, and our
>>> current method of getting memory images off of machines has changed.
>>> So we're using EnCase Enterprise to grab memory dumps. Then what
I've
>>> been doing is using FTK Imager to convert that to a DD image, and we
>>> run it through our regular tool. I run the same DD image through
>>> Volatility. I'm running Volatility on OS X Lion.
>>>
>>> Recently, I've noticed when I'm just doing an imageinfo with
>>> Volatility (both 2.0 and 2.1_alpha), I'm getting the following:
>>>
>>>
>>> Volatile Systems Volatility Framework 2.0
>>> Determining profile based on KDBG search...
>>>
>>> Suggested Profile(s) : No suggestion (Instantiated with no
>>> profile)
>>> AS Layer1 : FileAddressSpace (memory.bin)
>>> PAE type : No PAE
>>>
>>> So my first thought was is was an issue with converting an E01 to a DD
>>> image. So I ran a test on a standard Windows 7 build in our
>>> organization.
>>>
>>> 1) Do a memory collection with EnCase, convert to DD with FTK Imager
>>> 2) Do a memory collection with FDPro
>>> 3) Do a memory collection with DumpIt
>>>
>>> Run the imageinfo command in both Volatility 2.0 and the 2.1_alpha
>>> code, and the results were the same with one exception. With the 2.0
>>> code, and the DumpIt memory dump, I got the following:
>>>
>>>
>>> Volatile Systems Volatility Framework 2.0
>>> Determining profile based on KDBG search...
>>>
>>> Suggested Profile(s) : Win7SP0x64 (Instantiated with no
>>> profile)
>>> AS Layer1 : FileAddressSpace (memory.raw)
>>> PAE type : No PAE
>>>
>>> But if I try to run another command with --profile=Win7SP0x64 I get:
>>>
>>> Volatile Systems Volatility Framework 2.0
>>> ERROR : volatility.addrspace: Invalid profile Win7SP0x64 selected
>>>
>>> I'm just wondering if there's something funky with my Volatility
>>> installation, or if there could be something I need to check in our 7
>>> build that could be causing this.
>>>
>>> Thanks ahead of time,
>>> Tom
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
4:01 p.m.
Tom,
FDPro does work with Windows 7 (32 and 64-bit) with
the 2.1_alpha of
Volatility. So it may be how the Windows 7 box I'm using for testing is
configured. I'm going to fire up a Win7 VM that I have and run FDPro
against that and see what happens.
For what it's worth, please keep in mind that you could see different
acquisition behavior on a VM, as opposed to a physical machine. I have
never used FDPro, but I have received lots of reports of people having
issues in the past. Personally, I would never use it in a production
environment. When people are looking for a commercial acquisition tool, I
generally recommend George's kntdd. George has been doing "robust" memory
acquisition longer than anyone else in the industry and has an unsurpassed
understanding of the acquisition process.
Finally I did acquire the memory again with EnCase
Enterprise, but set
it up for no compression. I converted it to a DD image with FTK Imager
(command line version in this case) and it worked perfectly. So it looks
like the EnCase problem is being caused by the compression settings
(which I guess makes sense when I think about it). I tested that image
against both OS X and Ubuntu (with 2.1_alpha).
Previously, EnCase also had a lot of issues with their memory acquisition
as well. I've seen samples where critical pages were missing. I'm not sure
if any of those issues have been fixed.
Just a couple of things to keep in mind!
AW
4:42 p.m.
On Thu, Mar 8, 2012 at 3:01 PM, AAron Walters <awalters(a)4tphi.net> wrote:
For what it's worth, please keep in mind that you could see different
acquisition behavior on a VM, as opposed to a physical machine. I have never
used FDPro, but I have received lots of reports of people having issues in
the past. Personally, I would never use it in a production environment. When
people are looking for a commercial acquisition tool, I generally recommend
George's kntdd. George has been doing "robust" memory acquisition longer
than anyone else in the industry and has an unsurpassed understanding of the
acquisition process.
Yeah I know it'll be a bit different, but it's one more test I can do
at least. FDPro is what was available to me here (we use HB Gary
Responder in our environment), so that's why I was testing against
that.
I don't recall hearing of kntdd before (I might have but it doesn't
ring a bell), but I'll look at it. I'd have some other things to work
out in order to be able to use that on our network though (not related
to the tool itself).
Previously, EnCase also had a lot of issues with their memory acquisition as
well. I've seen samples where critical pages were missing. I'm not sure if
any of those issues have been fixed.
Are there any specific tests I can do to see if those issues were fixed?
Just a couple of things to keep in mind!
AW
Thank you for the info!
Tom
4:58 p.m.
Tom,
You have mentioned using a number of memory acquisition tools. I was
wondering how you evaluated these tools to determined their reliability
(or not). What was your test plan?
Regards,
gmg.
5:11 p.m.
Tom,
at least. FDPro is what was available to me here (we
use HB Gary
Responder in our environment), so that's why I was testing against that.
That does not sound like a fun environment ;) I guess it is a little
better than people who still use mdd. (Hopefully no one on this list still
uses mdd!).
I don't recall hearing of kntdd before (I might
have but it doesn't ring
a bell), but I'll look at it. I'd have some other things to work out in
order to be able to use that on our network though (not related to the
tool itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if those
issues were fixed?
I will try to dig up the emails. Some of the issue were related to pages
missing or being zero'd out. I mentioned it on the Volatility tumblr and
I was told there was a thread on the Guidance portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of physical
memory are being overwritten when a physical memory sample is acquired on
certain hardware configurations."
HTH,
AW
5:19 p.m.
Please note that there is an open source version of win32dd in
volatility (with many bug fixes):
http://code.google.com/p/volatility/source/browse/branches/scudette/tools/w…
I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.
If you want to use it with 64 bit platforms you need to sign it of course.
Michael.
On 8 March 2012 23:11, AAron Walters <awalters(a)4tphi.net> wrote:
Tom,
at least. FDPro is what was available to me here
(we use HB Gary
Responder in our environment), so that's why I was testing against that.
That does not sound like a fun environment ;) I guess it is a little better
than people who still use mdd. (Hopefully no one on this list still uses
mdd!).
I don't recall hearing of kntdd before (I
might have but it doesn't ring a
bell), but I'll look at it. I'd have some other things to work out in order
to be able to use that on our network though (not related to the tool
itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if
those issues were fixed?
I will try to dig up the emails. Some of the issue were related to pages
missing or being zero'd out. I mentioned it on the Volatility tumblr and I
was told there was a thread on the Guidance portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of physical
memory are being overwritten when a physical memory sample is acquired on
certain hardware configurations."
HTH,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 
12:03 p.m.
Tom,
I have done tests with fdpro 2.0.3.151 on a macbook pro running win7 sp1
x64 and have run volatility 2.1 alpha r1508 against it. Everything works
fine on my side. You said that your fdpro memory dump was a dd image. Have
you acquired memory with the hpak extension and then extract the memory
dump from the hpak format? Or you acquired directly memory with a .bin
extension?
Sebastien
Le 8 mars 2012 17:20, "Michael Cohen" <scudette(a)gmail.com> a écrit :
Please note that there is an open source version of
win32dd in
volatility (with many bug fixes):
http://code.google.com/p/volatility/source/browse/branches/scudette/tools/w…
I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.
If you want to use it with 64 bit platforms you need to sign it of course.
Michael.
On 8 March 2012 23:11, AAron Walters <awalters(a)4tphi.net> wrote:
and I
Tom,
better
at least. FDPro is what was available to me here
(we use HB Gary
Responder in our environment), so that's why I was testing against that.
That does not sound like a fun environment ;) I guess it is a little than people who still use mdd. (Hopefully no one
on this list still uses
mdd!).
> I don't recall hearing of kntdd before (I might have but it doesn't
ring a
> bell), but I'll look at it. I'd have
some other things to work out in
order
to be
able to use that on our network though (not related to the tool
itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if
those issues were fixed?
I will try to dig up the emails. Some of the issue were related to pages
missing or being zero'd out. I mentioned it on the Volatility tumblr was told there was a thread on the Guidance
portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of physical
memory are being overwritten when a physical memory sample is acquired on
certain hardware configurations."
HTH,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
1:18 p.m.
Sebastien,
In my testing I was acquiring with the .bin extension.
Tom
On Fri, Mar 9, 2012 at 11:03 AM, Sebastien Bourdon-Richard
<sebastienbr(a)gmail.com> wrote:
Tom,
I have done tests with fdpro 2.0.3.151 on a macbook pro running win7 sp1 x64
and have run volatility 2.1 alpha r1508 against it. Everything works fine on
my side. You said that your fdpro memory dump was a dd image. Have you
acquired memory with the hpak extension and then extract the memory dump
from the hpak format? Or you acquired directly memory with a .bin extension?
Sebastien
Le 8 mars 2012 17:20, "Michael Cohen" <scudette(a)gmail.com> a écrit :
Please note that there is an open source version
of win32dd in
volatility (with many bug fixes):
http://code.google.com/p/volatility/source/browse/branches/scudette/tools/w…
I have changed it a lot from the original so it exports a seekable
device now - you can run volatility directly on the live machine, and
also just dd the memory off from user space (and across the network or
whatever). I intend to add a couple of more acquisition methods to it
very shortly but this is already useful.
If you want to use it with 64 bit platforms you need to sign it of course.
Michael.
On 8 March 2012 23:11, AAron Walters <awalters(a)4tphi.net> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Tom,
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users at least. FDPro is what was available to me here
(we use HB Gary
Responder in our environment), so that's why I was testing against
that.
That does not sound like a fun environment ;) I guess it is a little
better
than people who still use mdd. (Hopefully no one on this list still uses
mdd!).
I don't recall hearing of kntdd before (I
might have but it doesn't
ring a
bell), but I'll look at it. I'd have some other things to work out in
order
to be able to use that on our network though (not related to the tool
itself).
It is definitely worth checking out. kntdd is by far the most robust
acquisition tool and George is a great guy (and member of this list ;).
Are there any specific tests I can do to see if
those issues were
fixed?
I will try to dig up the emails. Some of the issue were related to
pages
missing or being zero'd out. I mentioned it on the Volatility tumblr
and I
was told there was a thread on the Guidance portal. Granted, it was late
2008:
"In each instance, users have reported that critical sections of
physical
memory are being overwritten when a physical memory sample is acquired
on
certain hardware configurations."
HTH,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4633
days inactive
4635
days old
vol-users@lists.volatilityfoundation.org
12 comments
6 participants
participants (6)
-
AAron Walters -
George M. Garner J.r (online) -
Michael Cohen -
Michael Hale Ligh -
Sebastien Bourdon-Richard -
Tom Yarrish