[Vol-users] No shimcache data found

Brian Keefer chort at effu.se
Wed Jun 19 16:52:15 CDT 2013


Excellent paper. Thanks for pointing that out.

--
chort



On Jun 19, 2013, at 2:38 PM, Michael Hale Ligh wrote:

> I'd suggest reading the paper, it explains all of this and more (windows internals expertise not required)
> 
> http://dfrws.org/2008/proceedings/p26-dolan-gavitt.pdf
> 
> MHL
> 
> 
> On Wed, Jun 19, 2013 at 12:30 PM, Brian Keefer <chort at effu.se> wrote:
> I look at mostly Win7/64 systems and have always found shimcache data in memory images before. In the last several weeks only about 50% of the images I looked at had it. I'm running a 2.3 alpha build from a month or two ago (have been all this time).
> 
> While not strictly a Volatility issue, could someone explain under what circumstances the data wouldn't be available? I'm not a Windows internals expert (yet, I have part 1 and part 2 on my bookshelf, waiting...)
> 
> Thanks!
> 
> --
> chort
> 
> 
> 
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130619/e424de9a/attachment.html


More information about the Vol-users mailing list