I need some assistance with an issue that I recently came across. I am trying to run volatility plugins against the image Win2008R2SP1x64 and it doesn’t seem to be providing complete information. Below are a few examples. Any ideas on the ‘lack of information’? $ *vol.py pstree* Volatility Foundation Volatility Framework 2.5 Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- 0xfffffa8024e15040: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ *vol.py psscan* Volatility Foundation Volatility Framework 2.5 Offset(P) Name PID PPID PDB Time created Time exited ------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------ 0x00000000023551b0 conhost.exe 13692 372 0x0000000058bbe000 2016-07-18 18:05:03 UTC+0000 2016-07-18 18:06:09 UTC+0000 0x000000000235b060 WmiPrvSE.exe 4540 636 0x00000000b4803000 2016-07-18 18:06:51 UTC+0000 2016-07-18 18:08:23 UTC+0000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ *vol.py pslist* Volatility Foundation Volatility Framework 2.5 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xfffffa8024e15040 0 0 0 -------- ------ 0 */Kim Palechek, CISSP, CEH /*IT Security Operations Specialist, (Information Security, Risk and Compliance) 3M Information Technology 3M Center, Bldg, 0224-04-E-21 Phone: 736-6526 kspalechek(a)mmm.com <mailto:kspalechek@mmm.com> The absence of evidence is not the evidence of absence.