12:44 p.m.
Hi Kim,
In this case, its not the overlays. I can tell because details for the
two processes you /do/ see from psscan are all okay. If a bad overlay
was the issue, your results would be all or nothing.
Cheers - I may follow up with you off-list to offer a little other advice.
Thanks,
Michael
On 7/25/16 11:40 AM, Kim Palechek wrote:
I don’t have access to the machine but I’m sure our
Forensics guys do as they were the ones who retrieved the image for us. I’ll discuss with
Steve on what he wants to do or if he wants to acquire another image.
Thank you so much for getting back to me so quickly and for your help! I wasn’t sure if
it was another issue with the overlays and x64 machines.
Kim Palechek, CISSP, CEH
IT Security Operations Specialist, (Information Security, Risk and Compliance)
3M Information Technology
3M Center, Bldg, 0224-04-E-21
Phone: 736-6526
kspalechek(a)mmm.com
The absence of evidence is not the evidence of absence.
On 7/25/16, 11:15 AM, "Michael Ligh" <michael.ligh(a)mnin.org> wrote:
Hi Kim,
Yes, unfortunately we're only able to enumerate 1 process in the linked
list. This typically happens when the acquisition tool fails to acquire
one or more pages of memory containing the necessary puzzle pieces (or
"links"). In some cases, if its a minor smearing issue, you can still
salvage some data by using psscan, which does a brute force scan of the
entire memory dump for processes (even if they aren't linked). However,
I noticed your psscan results only had 2 entries. This means the
acquisition tool failed to acquire a whole lot more than just a couple
pages. In the past, we've seen that happen quite a bit with DumpIt, FTK
Imager, and Memoryze.
Do you still have access to the suspect machine by any chance?
Thanks,
Michael
On 7/25/16 11:07 AM, Kim Palechek wrote:
Thank you so much for getting back so quickly.
Below are the results of the kdbgscan. Encase is the tool used for acquisition.
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP1x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win7SP0x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
**************************************************
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit)
Offset (V) : 0xf80001dfa110
Offset (P) : 0x1dfa110
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr.
PsActiveProcessHead : 0xfffff80001e31420 (1 processes)
PsLoadedModuleList : 0xfffff80001e4f730 (52 modules)
KernelBase : 0xfffff80001c0d000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 1
KPCR : 0xfffff80001dfbd00 (CPU 0)
Kim Palechek, CISSP, CEH
IT Security Operations Specialist, (Information Security, Risk and Compliance)
3M Information Technology
3M Center, Bldg, 0224-04-E-21
Phone: 736-6526
kspalechek(a)mmm.com
The absence of evidence is not the evidence of absence.
On 7/25/16, 10:53 AM, "Michael Ligh" <michael.ligh(a)mnin.org> wrote:
Hi Kim,
Could you run kdbgscan --profile=Win2008R2SP1x64 on it and paste the
results?
Also, do you know what tool was used for acquisition? My gut feeling is
this is probably related to a bad capture, but I'll wait on the kdbgscan
results to tell for sure.
Thanks,
Michael
On 7/25/16 7:42 AM, Kim Palechek wrote:
3M security scanners have not detected any malicious content in this message.
To report this email as SPAM, please forward it to spam(a)websense.com
I need some assistance with an issue that I
recently came across. I am
trying to run volatility plugins against the image Win2008R2SP1x64 and
it doesn’t seem to be providing complete information. Below are a few
examples. Any ideas on the ‘lack of information’?
$ *vol.py pstree*
Volatility Foundation Volatility Framework 2.5
Name Pid PPid
Thds Hnds Time
-------------------------------------------------- ------ ------ ------
------ ----
0xfffffa8024e15040: 0 0 0
------ 1970-01-01 00:00:00 UTC+0000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ *vol.py psscan*
Volatility Foundation Volatility Framework 2.5
Offset(P) Name PID PPID PDB
Time created Time exited
------------------ ---------------- ------ ------ ------------------
------------------------------ ------------------------------
0x00000000023551b0 conhost.exe 13692 372 0x0000000058bbe000
2016-07-18 18:05:03 UTC+0000 2016-07-18 18:06:09 UTC+0000
0x000000000235b060 WmiPrvSE.exe 4540 636 0x00000000b4803000
2016-07-18 18:06:51 UTC+0000 2016-07-18 18:08:23 UTC+0000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ *vol.py pslist*
Volatility Foundation Volatility Framework 2.5
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ ------------------------------ ------------------------------
0xfffffa8024e15040 0 0 0 --------
------ 0
*/Kim Palechek, CISSP, CEH
/*IT Security Operations Specialist, (Information Security, Risk and
Compliance)
3M Information Technology
3M Center, Bldg, 0224-04-E-21
Phone: 736-6526
kspalechek(a)mmm.com <mailto:kspalechek@mmm.com>
The absence of evidence is not the evidence of absence.
3M security scanners have not detected any malicious content in this message.
To report this email as SPAM, please forward it to spam(a)websense.com
3388
days inactive
3388
days old
vol-users@lists.volatilityfoundation.org
0 comments
1 participants
participants (1)
-
Michael Ligh