Hi Kim, Yes, unfortunately we're only able to enumerate 1 process in the linked list. This typically happens when the acquisition tool fails to acquire one or more pages of memory containing the necessary puzzle pieces (or "links"). In some cases, if its a minor smearing issue, you can still salvage some data by using psscan, which does a brute force scan of the entire memory dump for processes (even if they aren't linked). However, I noticed your psscan results only had 2 entries. This means the acquisition tool failed to acquire a whole lot more than just a couple pages. In the past, we've seen that happen quite a bit with DumpIt, FTK Imager, and Memoryze.
Do you still have access to the suspect machine by any chance? Thanks, Michael On 7/25/16 11:07 AM, Kim Palechek wrote: > Thank you so much for getting back so quickly. Below are the results of the > kdbgscan. Encase is the tool used for acquisition. > > > ************************************************** > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > Offset (V) : 0xf80001dfa110 > Offset (P) : 0x1dfa110 > KDBG owner tag check : True > Profile suggestion (KDBGHeader): Win7SP1x64 > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > Service Pack (CmNtCSDVersion) : 1 > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > Major (OptionalHeader) : 6 > Minor (OptionalHeader) : 1 > KPCR : 0xfffff80001dfbd00 (CPU 0) > > ************************************************** > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > Offset (V) : 0xf80001dfa110 > Offset (P) : 0x1dfa110 > KDBG owner tag check : True > Profile suggestion (KDBGHeader): Win7SP0x64 > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > Service Pack (CmNtCSDVersion) : 1 > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > Major (OptionalHeader) : 6 > Minor (OptionalHeader) : 1 > KPCR : 0xfffff80001dfbd00 (CPU 0) > > ************************************************** > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > Offset (V) : 0xf80001dfa110 > Offset (P) : 0x1dfa110 > KDBG owner tag check : True > Profile suggestion (KDBGHeader): Win2008R2SP1x64 > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > Service Pack (CmNtCSDVersion) : 1 > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > Major (OptionalHeader) : 6 > Minor (OptionalHeader) : 1 > KPCR : 0xfffff80001dfbd00 (CPU 0) > > ************************************************** > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > Offset (V) : 0xf80001dfa110 > Offset (P) : 0x1dfa110 > KDBG owner tag check : True > Profile suggestion (KDBGHeader): Win2008R2SP0x64 > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > Service Pack (CmNtCSDVersion) : 1 > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > Major (OptionalHeader) : 6 > Minor (OptionalHeader) : 1 > KPCR : 0xfffff80001dfbd00 (CPU 0) > > > > > > > Kim Palechek, CISSP, CEH > IT Security Operations Specialist, (Information Security, Risk and Compliance) > 3M Information Technology > 3M Center, Bldg, 0224-04-E-21 > Phone: 736-6526 > [email protected] > > The absence of evidence is not the evidence of absence. > > On 7/25/16, 10:53 AM, "Michael Ligh" <[email protected]> wrote: > > Hi Kim, > > Could you run kdbgscan --profile=Win2008R2SP1x64 on it and paste the > results? > > Also, do you know what tool was used for acquisition? My gut feeling is > this is probably related to a bad capture, but I'll wait on the kdbgscan > results to tell for sure. > > Thanks, > Michael > > On 7/25/16 7:42 AM, Kim Palechek wrote: > > I need some assistance with an issue that I recently came across. I am > > trying to run volatility plugins against the image Win2008R2SP1x64 and > > it doesn’t seem to be providing complete information. Below are a few > > examples. Any ideas on the ‘lack of information’? > > > > > > > > > > > > $ *vol.py pstree* > > > > Volatility Foundation Volatility Framework 2.5 > > > > Name Pid PPid > > Thds Hnds Time > > > > -------------------------------------------------- ------ ------ ------ > > ------ ---- > > > > 0xfffffa8024e15040: 0 0 0 > > ------ 1970-01-01 00:00:00 UTC+0000 > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > $ *vol.py psscan* > > > > Volatility Foundation Volatility Framework 2.5 > > > > Offset(P) Name PID PPID PDB > > Time created Time exited > > > > ------------------ ---------------- ------ ------ ------------------ > > ------------------------------ ------------------------------ > > > > 0x00000000023551b0 conhost.exe 13692 372 0x0000000058bbe000 > > 2016-07-18 18:05:03 UTC+0000 2016-07-18 18:06:09 UTC+0000 > > > > 0x000000000235b060 WmiPrvSE.exe 4540 636 0x00000000b4803000 > > 2016-07-18 18:06:51 UTC+0000 2016-07-18 18:08:23 UTC+0000 > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > > > $ *vol.py pslist* > > > > Volatility Foundation Volatility Framework 2.5 > > > > Offset(V) Name PID PPID Thds Hnds > > Sess Wow64 Start Exit > > > > ------------------ -------------------- ------ ------ ------ -------- > > ------ ------ ------------------------------ > ------------------------------ > > > > 0xfffffa8024e15040 0 0 0 -------- > > ------ 0 > > > > > > > > > > > > */Kim Palechek, CISSP, CEH > > /*IT Security Operations Specialist, (Information Security, Risk and > > Compliance) > > 3M Information Technology > > 3M Center, Bldg, 0224-04-E-21 > > Phone: 736-6526 > > [email protected] <mailto:[email protected]> > > > > > > > > The absence of evidence is not the evidence of absence. > > > > 3M security scanners have not detected any malicious content in this > message. > > To report this email as SPAM, please forward it to [email protected] >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
