AW: [Vol-users] Volatility Call for Bugs

Michael Felber , Steufa Chemnitz, IT-Forensik MichaelFelber at gmx.net
Tue Jul 7 06:18:36 CDT 2009


Hello Aaron,

nice to hear that a RAM forensics geek like Jesse takes part to the
Volatility project.

So I'll follow you call an report a possible bug:

I assume, that the hiberfil-decompression plug-in does not work fully
correctly. Currently I use the SVN-version of volatility.

I had already posted the differences between a X-Ways-Forensics-decompressed
hibernation file and a svn-release decompressed one, both mapped with X-Ways
Forensics.
I am sorry not be allowed to provide the original files for testing. You
have to be content with my poor tests. But if you want me to do further
tests, so please don't hesitate.

Today I took volatility itself to verify that issue:

A piped output for the files-command has 950 lines (vol) or 1119 lines
(XWF). (q&d, ok)

The vol-version contains garbled file handles like  

File   [a long line of \x00]

File   \u8b10\uff01\u4090\u8b00\u8b1c8\u2454\u8b1c\uff01

Or definitely corrupted PID's

Pid: 3810479584
************************************************************************
Pid: 1095783255
************************************************************************
Pid: 3925770345
************************************************************************
Pid: 2768774260
************************************************************************

The XWF-decompressed version does inspire more confidence without strange
entries.

A pslist-command generated large negative handle-counts or to huge numbers
of handles for some processes in the vol-version but not for those in the
XWF-version. For the corrupted processes within the vol-version it is not
possible to dump the memmap (error message attached) but for the same pid in
the XWF-version it works fine.

The number of recognized processes (72) is identical in both files.

IMHO Volatility does not decompress the hiberfil.sys properly.

Has anybody a clue of some kind of integrity testing of a memory dump?

Cu

Michael

-----Ursprüngliche Nachricht-----
Von: vol-users-bounces at volatilityfoundation.org
[mailto:vol-users-bounces at volatilityfoundation.org] Im Auftrag von AAron Walters
Gesendet: Montag, 6. Juli 2009 06:32
An: vol-users at volatilityfoundation.org
Betreff: [Vol-users] Volatility Call for Bugs


Jesse Kornblum, our favorite geek raised by wolves, has graciously agreed 
to help prepare the next release of Volatility.  Please take some time and 
report any bugs you may have encountered. It's great to see people willing 
to step up and contribute back to the community! Remember, Volatility is 
powered by the people! If you are waiting for something to get worked on, 
it will get done a lot faster the more you are willing to contribute. 
Shouts to Jesse!

http://jessekornblum.livejournal.com/253092.html

Thanks,

AW
_______________________________________________
Vol-users mailing list
Vol-users at volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error.zip
Type: application/octet-stream
Size: 541 bytes
Desc: not available
Url : https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20090707/407357c2/error.obj


More information about the Vol-users mailing list