Re: [Vol-users] Question

6 Mar 2013


      This is likely a false positive since it only shows up in psscan - psscan
is like a carver for processes so sometimes it gives a false positive.
Michael.
On 5 March 2013 19:29, Ayers, Robert &lt;roayers(a)pa.gov&gt; wrote:
...
  Anyone ever seen anything like this? It came out of a
WinXPSP3x86 ram
 capture.****
 ** **
 PCSXView results;****
 ** **
 Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss
 session deskthrd****
 ---------- -------------------- ------ ------ ------ -------- ------ -----
 ------- --------****
 0x0a074da0 X???E?P??(O'?     23...6 False  True   False    False  False
 False   False   ****
 ** **
 ** **
 PSSCan results;****
 ** **
 Offset(P)  Name                PID   PPID PDB        Time
 created                   Time exited                   ****
 ---------- ---------------- ------ ------ ----------
 ------------------------------ ------------------------------****
 0x0a074da0 X???E?P??(O'? 23...6 23...4
 0x8a274dc0                                                              **
 **
 ** **
 Thanks,****
 *Robert Ayers, *****
 ** **
 _______________________________________________
 Vol-users mailing list
 Vol-users(a)volatilityfoundation.org
 http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] Question