Strange results
by James Lay
So here's what I got all...an image of a laptop running Windows 7 64
bit...image was captured using DumpIt in an admin console:
Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP0x64, Win7SP1x64,
Win2008R2SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace
(/home/jlay/Forensics/FMCCOMBS-20141203-153133.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0x1b430010a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80003002d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2014-12-03 15:31:47 UTC+0000
Image local date and time : 2014-12-03 08:31:47 -0700
Running "python vol.py -f ~/Forensics/FMCCOMBS-20141203-153133.raw
--profile Win7SP1x64 pslist"
gets me:
Offset(V) Name PID PPID Thds
Hnds Sess Wow64 Start Exit
0xfffffa800694ab30 System 4 0 141
-1 1191132111 0 2014-12-01 15:40:49 UTC+0000
0xfffffa800ae934f0 ?b?_?b?_?b?_?b?_ 1606836934 1606836934 1606836934
-1 -1 1 -
And that's it. Any hints on just why this isn't showing any processes?
Volatility version is 2.4 running on Ubuntu 14 64 bit. Thank you.
James
10 years, 1 month
- 3
- 2
Upcoming memory forensics trainings in SF, Reston, NY, and Amsterdam
by Andrew Case
We are happy to announce that we now have several 2015 public trainings
scheduled across the USA as well as in Europe. Full details can be found
at the following link:
http://www.memoryanalysis.net/#!memory-forensics-training/c1q3n
Our schedule for next year is getting pretty full so please contact ASAP
if you are interested in a private training or us hosting a public
training in your area.
--
Thanks,
Andrew (@attrc)
10 years, 1 month
- 1
- 0