Erika, I've run into psscan not providing results but usually not Shimcache too.
On a separate note have you tested mandiants Shimcachemem plugin to see if that's picking up Shimcache entries? Also, are you able to parse Shimcache straight from the disks SYSTEM hive(you mentioned you had disk)? Best, Jared On May 31, 2016 6:13 PM, "Erika Noerenberg" <[email protected]> wrote: > Hello all, > > I am analyzing a memory dump and looking at execution in a period of known > bad activity, and have been able to gather quite a bit of information using > volatility. For some reason though, shimcache and psscan return no results, > although all the other plugins I've run (and volshell) have worked fine. I > find it hard to believe that psscan for one can find no _EPROCESS > structures, so I'm not sure what's happening. Also, in the results from the > timeliner, I have several entries with blank shimcache entries like > "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate > with shimcache entries on disk, so I know something is just not being > picked up. > > Any ideas on why shimcache/psscan would produce no results? I'm not sure > about the best way to track down the reason. > > Thanks! > Erika > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users > >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
