Hi Erika, Which version of Windows are you analysing?
You say 'psscan' returns no results, how about pslist and psxview? I would agree that psscan finding nothing is odd. And how was the image acquired? Let us know! Adam On 31 May 2016 at 21:38, Erika Noerenberg <[email protected]> wrote: > Hello all, > > I am analyzing a memory dump and looking at execution in a period of known > bad activity, and have been able to gather quite a bit of information using > volatility. For some reason though, shimcache and psscan return no results, > although all the other plugins I've run (and volshell) have worked fine. I > find it hard to believe that psscan for one can find no _EPROCESS > structures, so I'm not sure what's happening. Also, in the results from the > timeliner, I have several entries with blank shimcache entries like > "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate > with shimcache entries on disk, so I know something is just not being > picked up. > > Any ideas on why shimcache/psscan would produce no results? I'm not sure > about the best way to track down the reason. > > Thanks! > Erika > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
