[Vol-users] diagnose problematic ram dump?
sebastienbr at gmail.com
Wed Nov 6 20:54:45 CST 2013
I have looked at your dump and found a weird thing. Your memory dump seems
to be bigger than it should be.
The memory range of your dump is
So the total size of memory dump should be 4 966 055 936 bytes (i.e:
However, the size of your memory dump is 4 967 100 416 bytes.
Maybe I'm missing something but it seems that Rob's memory dump have 1020KB
more data in it (i.e: 1 044 480 bytes)...
Any ideas why? Could it be an ASCII FTP transfer problem?
On Wed, Nov 6, 2013 at 12:20 PM, Dewhirst, Rob <robdewhirst at gmail.com>wrote:
> kdbgscan had no results. When we acquired we used the default mode -
> winpmem.exe file.raw
> I can probably share this 5GB dump with individuals if that helps, so
> long as it doesn't end up in some public corpus.
> On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette at gmail.com> wrote:
> > Hi Rob,
> > It looks to me like volatility can not find the correct kdbg
> > location. Can you please also try the kdbgscan module? When you
> > acquired the image did you use the default mode ("physical" - maps
> > \\.\PhysicalMemory device)?
> > Thanks
> > Michael.
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users