[Vol-users] (win7x64) : creating images for volatility

Boudewijn Ector boudewijn at boudewijnector.nl
Wed Oct 23 12:21:19 CDT 2013


On 23-10-13 17:28, david nardoni wrote:
>  Also I would try netscan instead of connscan for win7. But it sounds like a problem with the
> memory dump
>
Yeah I suppose the memorydump is *****ed... but wanted to make sure
since I heard some rumours about having problems with *large* dumps on x64.
And indeed I meant netscan, instead of connscan. My bad.

@MHL: Thanks. indeed, old svn version... I'm using too many machines I
guess. Just updated and reinstalled from trunk.

On 23-10-13 17:37, Jamie Levy wrote:
> You must have admin in order to acquire memory...  How did you manage
> to get a sample without having admin?  If you have a virtualized
> environment then you can acquire the memory from outside the machine
> without having admin privileges on the acquired machine, however
> (vmsn/vmss on esx for example).
Actually, I do not know. I wasn't involved in the actual incident until
some other guys decided to ask me.
It's a bare metal box, so no hypervisor involved. Furthermore, they
might have had admin but I'll probably create some new memory samples
tomorrow and getting admin in a timely manner is quite hard. Currently
the box is next to me so I can take some time to create a good sample.

On 23-10-13 17:30, Andrew Case wrote:
> Nice to hear from someone from our class =)

Nice to see all three teachers reply on-list. Hope you enjoyed teaching
the class as much as I did attending it.
>
> A few things about your post...
>
> 8GB on x64 is where several acquisition tools seem to break, so it is
> may be that and your output seems to indicate so.
Since the box is actually idling, I might remove a DIMM and thereby
create a nice 4GB environment. The reason for keeping the 8gigs in is
that it will improve my chances of having trace still in memory instead
of having those swapped/overwritten.
Is there a fast way to tell the image is bad? (yup I think my current
one is bad, but I'm going to need to test again by tomorrow) And, is the
slowness being indicative of having a bad image?
> Also, you are using Volatility 2.2 which is quite old at this point. I
> would recommend using the latest through SVN. Not only is there many
> bugfixes, but also new plugins, such as iehist

Yup. That's the plugin I was looking for. Guess I downloaded the release
version of volatility on this box, instead of getting it from SVN. Fixed
it, thanks!
> Also, we have full support for networking information on Windows 7
> x64, you just have to use the netscan plugin and not the others
> (sockets, sockscan, etc.).
Indeed.

> Do you have any other acquisition tools you can use or are your
> machines virtualized?
I can use whatever free tools I like, and am probably allowed to spend a
moderate amount of money in order to buy stuff. Buying tools will take
time though (boss has to acknowledge the order etc etc etc) so getting
free stuff is preferred.
The infected machines are not virtualised and the malware is probably
virtualisation-aware, so that's not an option I'm afraid.



Anybody got some more useful stuff? I used volatility quite a couple of
times but never created my own images on hardware (used either somebody
else's samples or VMs).


Cheers,

Boudewijn Ector



More information about the Vol-users mailing list