[Vol-users] diagnose problematic ram dump?

Michael Hale Ligh michael.hale at gmail.com
Tue Nov 5 17:14:22 CST 2013


Hi Rob,

I would suggest trying the two commands:

$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 pslist

And

$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 psscan

If neither of those have output, its likely an acquisition issue. I would
recommend contacting Michael Cohen (scudette), the author and maintainer of
winpmem.

Cheers,
MHL


On Tue, Nov 5, 2013 at 6:08 PM, Andrew Case <atcuno at gmail.com> wrote:

> Which tool did you use to acquire?
>
> Sent from my droid --
> On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst at gmail.com> wrote:
>
>> I have a Win7SP1x64 image with the following issues:
>>
>>
>> imageinfo never completes (this is as far as it gets)
>>
>>
>> Determining profile based on KDBG search...
>>
>>           Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
>> Win7SP0x64, Win2008R2SP1x64
>>                      AS Layer1 : AMD64PagedMemory (Kernel AS)
>>                      AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
>>                       PAE type : No PAE
>>                            DTB : 0x187000L
>>
>>
>> pslist shows no processes
>> netscan shows no connections.
>>
>> I am using Volatility 2.3.1 on linux, but I have tried the standalone
>> windows exe with the same results.
>> Image was collected with winpmem 1.4.1, and I watched the capture.  I
>> did not see any errors and it seemed to take about the right amount of
>> time.
>>
>> What would be my next steps to troubleshoot?
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131105/f68b0909/attachment.html


More information about the Vol-users mailing list