Here is imageinfo: C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd imageinfo Volatile Systems Volatility Framework 2.1 Determining profile based on KDBG search... Suggested Profile(s) : VistaSP1x86, Win2008SP1x86,

VistaSP2x86 AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) AS Layer2 : FileAddressSpace (G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd) PAE type : PAE DTB : 0x122000L KDBG : 0x8193ec90L Number of Processors : 2 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x8193f800L KPCR for CPU 1 : 0x803d1000L KUSER_SHARED_DATA : 0xffdf0000L Image date and time : 2010-10-26 18:35:11 UTC+0000 Image local date and time : 2010-10-26 14:35:11 -0400 Here is the complete output of kdbgscan: Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008SP1x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): VistaSP1x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): VistaSP2x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) ************************************************** Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit) Offset (V) : 0x8193ec90 Offset (P) : 0x193ec90 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008SP2x86 Version64 : 0x8193ec68 (Major: 15, Minor: 6001) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0 PsActiveProcessHead : 0x81954990 (0 processes) PsLoadedModuleList : 0x8195ec70 (0 modules) KernelBase : 0x81847000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 0 KPCR : 0x8193f800 (CPU 0) KPCR : 0x803d1000 (CPU 1) I also tried providing the kdbg value on the command line and got: C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 --kdbg=0x8193ec90L pslist Volatile Systems Volatility Framework 2.1 Usage: Volatility - A memory forensics analysis platform. volatility-2.1.standalone.exe: error: option --kdbg: invalid integer

'0x8193ec90L' Is that an indication of an invalid memory address? Thanks! Jon On Wed, Aug 22, 2012 at 12:30 PM, Andrew Case <atcuno(a)gmail.com> wrote: > > From your original post: > > PsActiveProcessHead : 0x81954990 (0 processes) > PsLoadedModuleList : 0x8195ec70 (0 modules) > > That is not good ... 0 processes off activeprocesshead > > Do you only get one result from kdbgscan? Can you try just running the > 'imageinfo' plugin on your image (don't give it --profile), and send > me the results? > > On Wed, Aug 22, 2012 at 11:27 AM, Jon Nelson <dotcop(a)gmail.com> wrote: > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 > > kdbgscan > > > > and... > > > > C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f > > G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86

> > > > On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com>

> >> > >> Can you paste the command line invocation you are running Vol with? > >> > >> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com>

> >> > I am using the 2.1 Windows standalone exe. > >> > > >> > I have a dd image of memory from the subject operating system and > >> > when I > >> > try > >> > to use pslist with the Win2008SP1x86 profile I get the following > >> > errors: > >> > > >> > Traceback (most recent call last): > >> > File "<string>", line 185, in <module> > >> > File "<string>", line 176, in main > >> > File > >> > > >> >

> >> > line 111, in execute > >> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in > >> > render_text > >> > File > >> > > >> > > >> >

> >> > line 72, in pslist > >> > File > >> > "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", > >> > line 40, in processes > >> > AttributeError: Could not list tasks, please verify your --profile > >> > with > >> > kdbgscan > >> > > >> > > >> > When I try to verify my profile with kdbgscan I get the following