[Vol-users] (win7x64) : creating images for volatility

Andrew Case atcuno at gmail.com
Wed Oct 23 10:30:37 CDT 2013


Nice to hear from someone from our class =)

A few things about your post...

8GB on x64 is where several acquisition tools seem to break, so it is
may be that and your output seems to indicate so.

Also, you are using Volatility 2.2 which is quite old at this point. I
would recommend using the latest through SVN. Not only is there many
bugfixes, but also new plugins, such as iehistory that will help you
recover the IE data you want and is the one we used in class.

Also, we have full support for networking information on Windows 7
x64, you just have to use the netscan plugin and not the others
(sockets, sockscan, etc.).

Do you have any other acquisition tools you can use or are your
machines virtualized?

On Wed, Oct 23, 2013 at 9:21 AM, Boudewijn Ector
<boudewijn at boudewijnector.nl> wrote:
> Hi guys,
>
>
> Currently I've got a sample of an infected win7 machine with enough
> memory (8gb) which is not being used by anything except for 'the
> malware'  (no running office etc) so quite a lot of stuff should not
> have been swapped out of memory yet.
>
>
> Strangely, I can't dump the process:
>
> ; vol.py  -f dump.raw --profile=Win7SP1x64 procexedump -p 4932
> --dump-dir results/4932.bin
> Volatile Systems Volatility Framework 2.2
> Process(V)         ImageBase          Name                 Result
> ------------------ ------------------ -------------------- ------
>
>
> Okay so it might be not in memory anymore... fine. So let's scan for
> network activity using connscan.
> This does not yield any results either.... just like svcscan.
>
> Also the image is very very slow... on a regular machine (core i5 2400,
> 20gb mem) running imageinfo on the 8gb images takes about 10 minutes.
>
> Also malfind mentions :
>
> WARNING : volatility.obj      : NoneObject as string: Invalid Address
> 0x05140000, instantiating _MMADDRESS_NODE
> WARNING : volatility.obj      : NoneObject as string: Invalid Address
> 0x05140000, instantiating _MMADDRESS_NODE
> WARNING : volatility.obj      : NoneObject as string: Invalid Address
> 0x21A4C320A, instantiating _MMADDRESS_NODE
> WARNING : volatility.obj      : NoneObject as string: Invalid Address
> 0x21A4C320A, instantiating _MMADDRESS_NODE
>
>
> Psxview says al processes are like this:
>
> 0x000000021a841060 <PROCESSNAME>            6640 False  True   False
> False   False
>
> Isn't that just weird? (yes it's because psscan is the only module being
> able to retrieve data from memory... but isn't that strange)
>
>
> This makes me presume my memory images are broken.  My collaegue
> probably (!) used winpmem -f for doing this. What's the best way to
> create a memory image on a windows7 x64 box without having admin? (these
> boxes are remotely managed and it takes a looooot of time to make sure
> an admin will do something).
> Or is this just perfectly normal behaviour and is win7x64 just being
> badly supported by volatility? (I know the networkbased plugins don't
> work but that's okay... it's being mentioned in the docs)
>
>
> Furthermore: during our recent volatility training (in amsterdam), we
> used a plugin for getting data from internet explorer history. I had a
> look online and didn't find it, is it non-public?
>
> Cheers,
>
> Boudewijn Ector
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list