[Vol-users] diagnose problematic ram dump?

Andrew Case atcuno at gmail.com
Tue Nov 5 17:08:42 CST 2013


Which tool did you use to acquire?

Sent from my droid --
On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst at gmail.com> wrote:

> I have a Win7SP1x64 image with the following issues:
>
>
> imageinfo never completes (this is as far as it gets)
>
>
> Determining profile based on KDBG search...
>
>           Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
> Win7SP0x64, Win2008R2SP1x64
>                      AS Layer1 : AMD64PagedMemory (Kernel AS)
>                      AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
>                       PAE type : No PAE
>                            DTB : 0x187000L
>
>
> pslist shows no processes
> netscan shows no connections.
>
> I am using Volatility 2.3.1 on linux, but I have tried the standalone
> windows exe with the same results.
> Image was collected with winpmem 1.4.1, and I watched the capture.  I
> did not see any errors and it seemed to take about the right amount of
> time.
>
> What would be my next steps to troubleshoot?
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131105/bbcba496/attachment.html


More information about the Vol-users mailing list