http://volatility.googlecode.com/files/volatility-3.0-tp2.zip Not that I am saying use a different imager. I know scudette didn't write that all you need to do is run his tool. If I remember write it is winpmem.exe -o file.mem, and you have a raw memory dump. Dumpit likes to deadlock systems. On Tuesday, October 30, 2012, Dewhirst, Rob wrote: > > I know I have the right profile but hearing something like this makes > me question the image. I took a new image with a different tool and > can now dump the process without error. > > FWIW I used Dumpit for the first image and FTK Imager for the second. > > On Tue, Oct 30, 2012 at 11:47 AM, Michael Cohen <scudette(a)gmail.com> > wrote: > > Rob, > > According to the psscan output you posted the PDB (Process directory > > base) is 0xcf3392c0. This is clearly an invalid address since a DTB is > > always aligned on page boundaries. > > > > Can you dump other processes from this image? Is it possible that you > > dont have the correct profile chosen for your image? > > > > Michael. > > > > On 30 October 2012 17:07, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote: > >> The process doesn't appear to have exited based on pslist (and it was > >> still generating network traffic while I dumped ram) > >> > >> Offset(V) Name PID PPID Thds Hnds Sess > >> Wow64 Start Exit > >> ---------- -------------------- ------ ------ ------ -------- ------ > >> ------ -------------------- -------------------- > >> 0x8b3802a8 System 4 0 127 -------- ------ > >> 0 > >> 0x89be3290 smss.exe 312 4 2 -------- ------ > >> 0 2012-10-26 02:29:26 > >> [...] > >> 0x89b1e020 redactedxx.e 1684 432 15 -------- ------ > >> 0 2012-10-26 02:29:39 > >> > >> Don't know if this helps > >> > >> psxview > >> > >> Volatile Systems Volatility Framework 2.2 > >> Offset(P) Name PID pslist psscan thrdproc pspcdid > >> csrss > >> ---------- -------------------- ------ ------ ------ -------- ------- > >> ----- > >> 0x09b17b70 svchost.exe 2632 True True False False > >> False > >> [...] > >> 0x09b1e020 redactedxx.e 1684 True True False False > >> False > >> > >> psscan > >> > >> sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f > >> ~/Desktop/image.raw --profile Win2003SP2x86 psscan > >> Volatile Systems Volatility Framework 2.2 > >> Offset(P) Name PID PPID PDB Time created > >> Time exited > >> ---------- ---------------- ------ ------ ---------- > >> -------------------- -------------------- > >> 0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39 > >> > >> > >> On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh > >> <michael.hale(a)gmail.com> wrote: > >>> This means that the DTB (page directory) for the process doesn't > >>> appear > >>> valid, which is typically because the process has exited (although the > >>> _EPROCESS structure itself may still exist, its page tables can be > >>> corrupt). > >>> Can you check the exit time for this process with pslist or psscan? > >>> > >>> MHL > >>> > >>> On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com> > >>> wrote: > >>>> > >>>> Have never seen this error when trying to dump a process. Any > >>>> suggestions? tried -u as well with the same results. > >>>> > >>>> vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p > >>>> 1684 > >>>> Volatile Systems Volatility Framework 2.2 > >>>> Process(V) ImageBase Name Result > >>>> ---------- ---------- -------------------- ------ > >>>> 0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire > >>>> process > >>>> AS > >>>> _______________________________________________ > >>>> Vol-users mailing list > >>>> Vol-users(a)volatilityfoundation.org