[Vol-users] diagnose problematic ram dump?
robdewhirst at gmail.com
Tue Nov 5 15:14:29 CST 2013
I have a Win7SP1x64 image with the following issues:
imageinfo never completes (this is as far as it gets)
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
PAE type : No PAE
DTB : 0x187000L
pslist shows no processes
netscan shows no connections.
I am using Volatility 2.3.1 on linux, but I have tried the standalone
windows exe with the same results.
Image was collected with winpmem 1.4.1, and I watched the capture. I
did not see any errors and it seemed to take about the right amount of
What would be my next steps to troubleshoot?
More information about the Vol-users