[Vol-users] No shimcache data found

Michael Hale Ligh michael.hale at gmail.com
Wed Jun 19 16:38:41 CDT 2013


I'd suggest reading the paper, it explains all of this and more (windows
internals expertise not required)

http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf

MHL


On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort at effu.se> wrote:

> I look at mostly Win7/64 systems and have always found shimcache data in
> memory images before. In the last several weeks only about 50% of the
> images I looked at had it. I'm running a 2.3 alpha build from a month or
> two ago (have been all this time).
>
> While not strictly a Volatility issue, could someone explain under what
> circumstances the data wouldn't be available? I'm not a Windows internals
> expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
>
> Thanks!
>
> --
> chort
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130619/d4585fe2/attachment.html


More information about the Vol-users mailing list