4:14 p.m.
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
6:08 p.m.
Which tool did you use to acquire?
Sent from my droid --
On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst(a)gmail.com> wrote:
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
6:14 p.m.
Hi Rob,
I would suggest trying the two commands:
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 pslist
And
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 psscan
If neither of those have output, its likely an acquisition issue. I would
recommend contacting Michael Cohen (scudette), the author and maintainer of
winpmem.
Cheers,
MHL
On Tue, Nov 5, 2013 at 6:08 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Which tool did you use to acquire?
Sent from my droid --
On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst(a)gmail.com> wrote:
I have a Win7SP1x64 image with the following
issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
7:49 p.m.
output attached as text file. Pslist=nope, psscan found some but not
all of the processes
On Tue, Nov 5, 2013 at 5:14 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hi Rob,
I would suggest trying the two commands:
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 pslist
And
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 psscan
If neither of those have output, its likely an acquisition issue. I would
recommend contacting Michael Cohen (scudette), the author and maintainer of
winpmem.
Cheers,
MHL
On Tue, Nov 5, 2013 at 6:08 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Which tool did you use to acquire?
Sent from my droid --
On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst(a)gmail.com> wrote:
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4:49 a.m.
Hi Rob,
It looks to me like volatility can not find the correct kdbg
location. Can you please also try the kdbgscan module? When you
acquired the image did you use the default mode ("physical" - maps
\\.\PhysicalMemory device)?
Thanks
Michael.
12:20 p.m.
kdbgscan had no results. When we acquired we used the default mode -
winpmem.exe file.raw
I can probably share this 5GB dump with individuals if that helps, so
long as it doesn't end up in some public corpus.
On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette(a)gmail.com> wrote:
Hi Rob,
It looks to me like volatility can not find the correct kdbg
location. Can you please also try the kdbgscan module? When you
acquired the image did you use the default mode ("physical" - maps
\\.\PhysicalMemory device)?
Thanks
Michael.
9:54 p.m.
Rob,
I have looked at your dump and found a weird thing. Your memory dump seems
to be bigger than it should be.
The memory range of your dump is
Start
End
0x1000
0x9F000
0x100000
0xCFDFF000
0x100000000
0x128000000
So the total size of memory dump should be 4 966 055 936 bytes (i.e:
0x128000000).
However, the size of your memory dump is 4 967 100 416 bytes.
Maybe I'm missing something but it seems that Rob's memory dump have 1020KB
more data in it (i.e: 1 044 480 bytes)...
Any ideas why? Could it be an ASCII FTP transfer problem?
Sebastien
On Wed, Nov 6, 2013 at 12:20 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>wrote:
kdbgscan had no results. When we acquired we used the
default mode -
winpmem.exe file.raw
I can probably share this 5GB dump with individuals if that helps, so
long as it doesn't end up in some public corpus.
On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette(a)gmail.com> wrote:
Hi Rob,
It looks to me like volatility can not find the correct kdbg
location. Can you please also try the kdbgscan module? When you
acquired the image did you use the default mode ("physical" - maps
\\.\PhysicalMemory device)?
Thanks
Michael.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4025
days inactive
4027
days old
vol-users@lists.volatilityfoundation.org
6 comments
5 participants
participants (5)
-
Andrew Case -
Dewhirst, Rob -
Michael Cohen -
Michael Hale Ligh -
Sebastien Bourdon-Richard