[Vol-users] (win7x64) : creating images for volatility

Boudewijn Ector boudewijn at boudewijnector.nl
Wed Oct 23 15:20:12 CDT 2013

On 23-10-13 20:31, George M. Garner Jr. wrote:
> 64 GiB is a large dump.  8 GiB is standard these days.  No problems 
> with really LARGE memory dumps here, btw.  :-) No problem acquiring 
> the pagefile(s) here either, in case you have some virtual memory 
> swapped out.
Okay. Well anyway, we'll remove a DIMM tomorrow anyway(over here in 
Europe it's about 10pm by now), it will also speed up analysis I hope.
> Don't bet on it.  If the processor supports virtualization extensions 
> (which most do nowadays), then you may be running in a hypervizor.  
> You have to test for that specifically.
Wait, what? Well we actually brought the box to our office and did not 
notice anything. It's just a regular computer for office applications, 
on which we did not notice any hypervisor (the admin also didn't mention 
anything). Furthermore, the sample refuses to run in a VM and seems to 
work fine on this box. My colleague actually patched some anti-DFIR 
defenses, so I don't think the infected workstation is actually running 
some hypervisor.


Boudewijn Ector

More information about the Vol-users mailing list