Re: [Vol-users] diagnose problematic ram dump?
Dewhirst, Rob
5 Nov
2013
5 Nov
'13
7:49 p.m.
output attached as text file. Pslist=nope, psscan found some but not
all of the processes
On Tue, Nov 5, 2013 at 5:14 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hi Rob,
I would suggest trying the two commands:
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 pslist
And
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 psscan
If neither of those have output, its likely an acquisition issue. I would
recommend contacting Michael Cohen (scudette), the author and maintainer of
winpmem.
Cheers,
MHL
On Tue, Nov 5, 2013 at 6:08 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Which tool did you use to acquire?
Sent from my droid --
On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst(a)gmail.com> wrote:
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
time.
What would be my next steps to troubleshoot?
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- voltemp.txt (text/plain — 28.2 KB)