Yes, sorry - pslist and psxview show normal results (although the psscan column in psxview is all False of course). The system is Win 7 x64 and the memory was dumped from Carbon Black's endpoint response agent (not by me).
On Tue, May 31, 2016 at 4:29 PM, Bridgey theGeek <[email protected]> wrote: > Hi Erika, > > Which version of Windows are you analysing? > > You say 'psscan' returns no results, how about pslist and psxview? > I would agree that psscan finding nothing is odd. > > And how was the image acquired? > > Let us know! > Adam > > > > On 31 May 2016 at 21:38, Erika Noerenberg <[email protected]> > wrote: > >> Hello all, >> >> I am analyzing a memory dump and looking at execution in a period of >> known bad activity, and have been able to gather quite a bit of information >> using volatility. For some reason though, shimcache and psscan return no >> results, although all the other plugins I've run (and volshell) have worked >> fine. I find it hard to believe that psscan for one can find no _EPROCESS >> structures, so I'm not sure what's happening. Also, in the results from the >> timeliner, I have several entries with blank shimcache entries like >> "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate >> with shimcache entries on disk, so I know something is just not being >> picked up. >> >> Any ideas on why shimcache/psscan would produce no results? I'm not sure >> about the best way to track down the reason. >> >> Thanks! >> Erika >> >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> >> >
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
