[Vol-users] (win7x64) : creating images for volatility
boudewijn at boudewijnector.nl
Wed Oct 23 15:20:12 CDT 2013
On 23-10-13 20:31, George M. Garner Jr. wrote:
> 64 GiB is a large dump. 8 GiB is standard these days. No problems
> with really LARGE memory dumps here, btw. :-) No problem acquiring
> the pagefile(s) here either, in case you have some virtual memory
> swapped out.
Okay. Well anyway, we'll remove a DIMM tomorrow anyway(over here in
Europe it's about 10pm by now), it will also speed up analysis I hope.
> Don't bet on it. If the processor supports virtualization extensions
> (which most do nowadays), then you may be running in a hypervizor.
> You have to test for that specifically.
Wait, what? Well we actually brought the box to our office and did not
notice anything. It's just a regular computer for office applications,
on which we did not notice any hypervisor (the admin also didn't mention
anything). Furthermore, the sample refuses to run in a VM and seems to
work fine on this box. My colleague actually patched some anti-DFIR
defenses, so I don't think the infected workstation is actually running
More information about the Vol-users