[Vol-users] diagnose problematic ram dump?
Michael Hale Ligh
michael.hale at gmail.com
Tue Nov 5 17:14:22 CST 2013
I would suggest trying the two commands:
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 pslist
$ python vol.py -f <FILE> --profile= Win7SP1x64 --dtb=0x187000 psscan
If neither of those have output, its likely an acquisition issue. I would
recommend contacting Michael Cohen (scudette), the author and maintainer of
On Tue, Nov 5, 2013 at 6:08 PM, Andrew Case <atcuno at gmail.com> wrote:
> Which tool did you use to acquire?
> Sent from my droid --
> On Nov 5, 2013 4:14 PM, "Dewhirst, Rob" <robdewhirst at gmail.com> wrote:
>> I have a Win7SP1x64 image with the following issues:
>> imageinfo never completes (this is as far as it gets)
>> Determining profile based on KDBG search...
>> Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64,
>> Win7SP0x64, Win2008R2SP1x64
>> AS Layer1 : AMD64PagedMemory (Kernel AS)
>> AS Layer2 : FileAddressSpace (/data/8564/8564.raw)
>> PAE type : No PAE
>> DTB : 0x187000L
>> pslist shows no processes
>> netscan shows no connections.
>> I am using Volatility 2.3.1 on linux, but I have tried the standalone
>> windows exe with the same results.
>> Image was collected with winpmem 1.4.1, and I watched the capture. I
>> did not see any errors and it seemed to take about the right amount of
>> What would be my next steps to troubleshoot?
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users