Hi Kim, In this case, its not the overlays. I can tell because details for the two processes you /do/ see from psscan are all okay. If a bad overlay was the issue, your results would be all or nothing.
Cheers - I may follow up with you off-list to offer a little other advice. Thanks, Michael On 7/25/16 11:40 AM, Kim Palechek wrote: > I don’t have access to the machine but I’m sure our Forensics guys do as they > were the ones who retrieved the image for us. I’ll discuss with Steve on > what he wants to do or if he wants to acquire another image. > > Thank you so much for getting back to me so quickly and for your help! I > wasn’t sure if it was another issue with the overlays and x64 machines. > > > > > Kim Palechek, CISSP, CEH > IT Security Operations Specialist, (Information Security, Risk and Compliance) > 3M Information Technology > 3M Center, Bldg, 0224-04-E-21 > Phone: 736-6526 > [email protected] > > The absence of evidence is not the evidence of absence. > > On 7/25/16, 11:15 AM, "Michael Ligh" <[email protected]> wrote: > > Hi Kim, > > Yes, unfortunately we're only able to enumerate 1 process in the linked > list. This typically happens when the acquisition tool fails to acquire > one or more pages of memory containing the necessary puzzle pieces (or > "links"). In some cases, if its a minor smearing issue, you can still > salvage some data by using psscan, which does a brute force scan of the > entire memory dump for processes (even if they aren't linked). However, > I noticed your psscan results only had 2 entries. This means the > acquisition tool failed to acquire a whole lot more than just a couple > pages. In the past, we've seen that happen quite a bit with DumpIt, FTK > Imager, and Memoryze. > > Do you still have access to the suspect machine by any chance? > > Thanks, > Michael > > On 7/25/16 11:07 AM, Kim Palechek wrote: > > Thank you so much for getting back so quickly. Below are the results > of the kdbgscan. Encase is the tool used for acquisition. > > > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > > Offset (V) : 0xf80001dfa110 > > Offset (P) : 0x1dfa110 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): Win7SP1x64 > > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 1 > > KPCR : 0xfffff80001dfbd00 (CPU 0) > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > > Offset (V) : 0xf80001dfa110 > > Offset (P) : 0x1dfa110 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): Win7SP0x64 > > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 1 > > KPCR : 0xfffff80001dfbd00 (CPU 0) > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > > Offset (V) : 0xf80001dfa110 > > Offset (P) : 0x1dfa110 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): Win2008R2SP1x64 > > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 1 > > KPCR : 0xfffff80001dfbd00 (CPU 0) > > > > ************************************************** > > Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) > > Offset (V) : 0xf80001dfa110 > > Offset (P) : 0x1dfa110 > > KDBG owner tag check : True > > Profile suggestion (KDBGHeader): Win2008R2SP0x64 > > Version64 : 0xf80001dfa0e8 (Major: 15, Minor: 7601) > > Service Pack (CmNtCSDVersion) : 1 > > Build string (NtBuildLab) : 7601.23418.amd64fre.win7sp1_ldr. > > PsActiveProcessHead : 0xfffff80001e31420 (1 processes) > > PsLoadedModuleList : 0xfffff80001e4f730 (52 modules) > > KernelBase : 0xfffff80001c0d000 (Matches MZ: True) > > Major (OptionalHeader) : 6 > > Minor (OptionalHeader) : 1 > > KPCR : 0xfffff80001dfbd00 (CPU 0) > > > > > > > > > > > > > > Kim Palechek, CISSP, CEH > > IT Security Operations Specialist, (Information Security, Risk and > Compliance) > > 3M Information Technology > > 3M Center, Bldg, 0224-04-E-21 > > Phone: 736-6526 > > [email protected] > > > > The absence of evidence is not the evidence of absence. > > > > On 7/25/16, 10:53 AM, "Michael Ligh" <[email protected]> wrote: > > > > Hi Kim, > > > > Could you run kdbgscan --profile=Win2008R2SP1x64 on it and paste the > > results? > > > > Also, do you know what tool was used for acquisition? My gut > feeling is > > this is probably related to a bad capture, but I'll wait on the > kdbgscan > > results to tell for sure. > > > > Thanks, > > Michael > > > > On 7/25/16 7:42 AM, Kim Palechek wrote: > > > I need some assistance with an issue that I recently came across. > I am > > > trying to run volatility plugins against the image > Win2008R2SP1x64 and > > > it doesn’t seem to be providing complete information. Below are > a few > > > examples. Any ideas on the ‘lack of information’? > > > > > > > > > > > > > > > > > > $ *vol.py pstree* > > > > > > Volatility Foundation Volatility Framework 2.5 > > > > > > Name Pid PPid > > > Thds Hnds Time > > > > > > -------------------------------------------------- ------ ------ > ------ > > > ------ ---- > > > > > > 0xfffffa8024e15040: 0 0 > 0 > > > ------ 1970-01-01 00:00:00 UTC+0000 > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > $ *vol.py psscan* > > > > > > Volatility Foundation Volatility Framework 2.5 > > > > > > Offset(P) Name PID PPID PDB > > > > Time created Time exited > > > > > > ------------------ ---------------- ------ ------ > ------------------ > > > ------------------------------ ------------------------------ > > > > > > 0x00000000023551b0 conhost.exe 13692 372 > 0x0000000058bbe000 > > > 2016-07-18 18:05:03 UTC+0000 2016-07-18 18:06:09 UTC+0000 > > > > > > 0x000000000235b060 WmiPrvSE.exe 4540 636 > 0x00000000b4803000 > > > 2016-07-18 18:06:51 UTC+0000 2016-07-18 18:08:23 UTC+0000 > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > > > > > > > $ *vol.py pslist* > > > > > > Volatility Foundation Volatility Framework 2.5 > > > > > > Offset(V) Name PID PPID Thds > Hnds > > > Sess Wow64 Start Exit > > > > > > > ------------------ -------------------- ------ ------ ------ > -------- > > > ------ ------ ------------------------------ > ------------------------------ > > > > > > 0xfffffa8024e15040 0 0 0 > -------- > > > ------ 0 > > > > > > > > > > > > > > > > > > */Kim Palechek, CISSP, CEH > > > /*IT Security Operations Specialist, (Information Security, Risk > and > > > Compliance) > > > 3M Information Technology > > > 3M Center, Bldg, 0224-04-E-21 > > > Phone: 736-6526 > > > [email protected] <mailto:[email protected]> > > > > > > > > > > > > The absence of evidence is not the evidence of absence. > > > > > > > 3M security scanners have not detected any malicious content in > this message. > > > > To report this email as SPAM, please forward it to [email protected] > > > > 3M security scanners have not detected any malicious content in this > message. > > To report this email as SPAM, please forward it to [email protected] >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
