[Vol-users] diagnose problematic ram dump?

Dewhirst, Rob robdewhirst at gmail.com
Wed Nov 6 11:20:40 CST 2013


kdbgscan had no results.  When we acquired we used the default mode -
winpmem.exe file.raw

I can probably share this 5GB dump with individuals if that helps, so
long as it doesn't end up in some public corpus.

On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette at gmail.com> wrote:
> Hi Rob,
>   It looks to me like volatility can not find the correct kdbg
> location. Can you please also try the kdbgscan module? When you
> acquired the image did you use the default mode ("physical" - maps
> \\.\PhysicalMemory device)?
>
> Thanks
> Michael.


More information about the Vol-users mailing list