[Vol-users] diagnose problematic ram dump?

Sebastien Bourdon-Richard sebastienbr at gmail.com
Wed Nov 6 20:54:45 CST 2013


Rob,

I have looked at your dump and found a weird thing. Your memory dump seems
to be bigger than it should be.

The memory range of your dump is

  Start

End

0x1000

0x9F000

0x100000

0xCFDFF000

0x100000000

0x128000000

So the total size of memory dump should be 4 966 055 936 bytes (i.e:
0x128000000).

However, the size of your memory dump is 4 967 100 416 bytes.

Maybe I'm missing something but it seems that Rob's memory dump have 1020KB
more data in it (i.e: 1 044 480 bytes)...

Any ideas why? Could it be an ASCII FTP transfer problem?

Sebastien









On Wed, Nov 6, 2013 at 12:20 PM, Dewhirst, Rob <robdewhirst at gmail.com>wrote:

> kdbgscan had no results.  When we acquired we used the default mode -
> winpmem.exe file.raw
>
> I can probably share this 5GB dump with individuals if that helps, so
> long as it doesn't end up in some public corpus.
>
> On Wed, Nov 6, 2013 at 3:49 AM, Michael Cohen <scudette at gmail.com> wrote:
> > Hi Rob,
> >   It looks to me like volatility can not find the correct kdbg
> > location. Can you please also try the kdbgscan module? When you
> > acquired the image did you use the default mode ("physical" - maps
> > \\.\PhysicalMemory device)?
> >
> > Thanks
> > Michael.
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20131106/cb970fce/attachment.html


More information about the Vol-users mailing list