[Vol-users] diagnose problematic ram dump?

Sebastien Bourdon-Richard sebastienbr at gmail.com
Wed Nov 6 20:54:45 CST 2013


I have looked at your dump and found a weird thing. Your memory dump seems
to be bigger than it should be.

The memory range of your dump is









So the total size of memory dump should be 4 966 055 936 bytes (i.e:

However, the size of your memory dump is 4 967 100 416 bytes.

Maybe I'm missing something but it seems that Rob's memory dump have 1020KB
more data in it (i.e: 1 044 480 bytes)...

Any ideas why? Could it be an ASCII FTP transfer problem?


On Wed, Nov 6, 2013 at 12:20 PM, Dewhirst, Rob <robdewhirst at gmail.com>wrote:

> kdbgscan had no results.  When we acquired we used the default mode -
> winpmem.exe file.raw
> I can probably share this 5GB dump with individuals if that helps, so
> long as it doesn't end up in some public corpus.
> On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette at gmail.com> wrote:
> > Hi Rob,
> >   It looks to me like volatility can not find the correct kdbg
> > location. Can you please also try the kdbgscan module? When you
> > acquired the image did you use the default mode ("physical" - maps
> > \\.\PhysicalMemory device)?
> >
> > Thanks
> > Michael.
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131106/cb970fce/attachment.html

More information about the Vol-users mailing list