Hi Kim, Could you run kdbgscan --profile=Win2008R2SP1x64 on it and paste the results?
Also, do you know what tool was used for acquisition? My gut feeling is this is probably related to a bad capture, but I'll wait on the kdbgscan results to tell for sure. Thanks, Michael On 7/25/16 7:42 AM, Kim Palechek wrote: > I need some assistance with an issue that I recently came across. I am > trying to run volatility plugins against the image Win2008R2SP1x64 and > it doesn’t seem to be providing complete information. Below are a few > examples. Any ideas on the ‘lack of information’? > > > > > > $ *vol.py pstree* > > Volatility Foundation Volatility Framework 2.5 > > Name Pid PPid > Thds Hnds Time > > -------------------------------------------------- ------ ------ ------ > ------ ---- > > 0xfffffa8024e15040: 0 0 0 > ------ 1970-01-01 00:00:00 UTC+0000 > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > $ *vol.py psscan* > > Volatility Foundation Volatility Framework 2.5 > > Offset(P) Name PID PPID PDB > Time created Time exited > > ------------------ ---------------- ------ ------ ------------------ > ------------------------------ ------------------------------ > > 0x00000000023551b0 conhost.exe 13692 372 0x0000000058bbe000 > 2016-07-18 18:05:03 UTC+0000 2016-07-18 18:06:09 UTC+0000 > > 0x000000000235b060 WmiPrvSE.exe 4540 636 0x00000000b4803000 > 2016-07-18 18:06:51 UTC+0000 2016-07-18 18:08:23 UTC+0000 > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > $ *vol.py pslist* > > Volatility Foundation Volatility Framework 2.5 > > Offset(V) Name PID PPID Thds Hnds > Sess Wow64 Start Exit > > ------------------ -------------------- ------ ------ ------ -------- > ------ ------ ------------------------------ ------------------------------ > > 0xfffffa8024e15040 0 0 0 -------- > ------ 0 > > > > > > */Kim Palechek, CISSP, CEH > /*IT Security Operations Specialist, (Information Security, Risk and > Compliance) > 3M Information Technology > 3M Center, Bldg, 0224-04-E-21 > Phone: 736-6526 > [email protected] <mailto:[email protected]> > > > > The absence of evidence is not the evidence of absence. >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
