Hi,
I've a problem with an image from a Microsoft Surface tablet.
I've verified that the OS is Windows 10 Pro 64Bit, and "imageinfo" confirms
that:
Suggested Profile(s) : Win10x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/srv/evidence/memdump.mem)
PAE type : No PAE
DTB : 0x1ab000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2016-06-16 12:52:11 CEST+0200
Image local date and time : 2016-06-16 12:52:11 +0200
However, all comands take hours to complete, imageinfo took about an hour,
kdbgscan was closer to 10 hours (I let it run through the night).
$ ./vol.py --tz=CET --profile=Win10x64 -f /srv/evidence//memdump.mem kdbgscan
Volatility Foundation Volatility Framework 2.5
**************************************************
Instantiating KDBG using: Unnamed AS Win10x64 (6.4.9841 64bit)
Offset (V) : 0xf8033cb38a60
Offset (P) : 0x268d38a60
KdCopyDataBlock (V) : 0xf8033c9965d0
Block encoded : Yes
Wait never : 0x1d323b0baac9580
Wait always : 0xf0e3591e003a646a
KDBG owner tag check : False
Profile suggestion (KDBGHeader): Win10x64
Service Pack (CmNtCSDVersion) : -
Build string (NtBuildLab) : -
PsActiveProcessHead : 0xb276fbddbd63c845 (0 processes)
PsLoadedModuleList : 0xf249d7ddbd63c805 (0 modules)
KernelBase : 0xfe52e3ddbd63c885 (Matches MZ: False)
Major (OptionalHeader) : -
Minor (OptionalHeader) : -
**************************************************
Instantiating KDBG using: Unnamed AS Win10x64 (6.4.9841 64bit)
Offset (V) : 0xf8033cb38a60
Offset (P) : 0x268d38a60
KdCopyDataBlock (V) : 0xf8033ca31a14
Block encoded : Yes
Wait never : 0xf0e3591e003a646a
Wait always : 0x1d323b0baac9580
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win10x64
Version64 : 0xf8033cb38dc0 (Major: 15, Minor: 10586)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab) : 10586.306.amd64fre.th2_release_s
PsActiveProcessHead : 0xfffff8033cb4d160 (91 processes)
PsLoadedModuleList : 0xfffff8033cb52cd0 (202 modules)
KernelBase : 0xfffff8033c874000 (Matches MZ: True)
Major (OptionalHeader) : 10
Minor (OptionalHeader) : 0
KPCR : 0xfffff8033cb91000 (CPU 0)
KPCR : 0xffffd001cc54a000 (CPU 1)
KPCR : 0xffffd001cc5c9000 (CPU 2)
KPCR : 0xffffd001cc648000 (CPU 3)
I think the later part is the right one, but when I run pslist with the value
for
KdCopyDataBlock, I get something like this, using other options/values simply
gives
empty output.
$ ./vol.py --tz=CET --profile=Win10x64 -f /srv/evidence/memdump.mem
--kdbg=0xf8033ca31a14 psscan
Volatility Foundation Volatility Framework 2.5
Offset(P) Name PID PPID PDB Time
created Time exited
------------------ ---------------- ------ ------ ------------------
------------------------------ ------------------------------
0x0000c001edeb7bce 42...2 23...8 0x6b76ffffffd80000
5914-08-12 10:20:02 CET+0100
0x0000c001eed47b6e o 42...2 57...7 0x2b30fffffff00000
9767-04-28 16:32:54 CET+0100
0x0000e00087491680 4 0 0x00000000001ab000
2016-06-06 18:03:31 CEST+0200
0x0000e0008765d7c0 0?? 3600 3524 0x000000017ccc3000 2016-06-06
18:03:44 CEST+0200
0x0000e000876657c0 ??e? 3608 3600 0x000000017ccf8000
2016-06-06 18:03:44 CEST+0200
0x0000e00087f73080 7200 4812 0x00000001cbc8e000
2016-06-07 23:07:21 CEST+0200
0x0000e000897597c0 ??s? 372 4 0x0000000250219000
2016-06-06 18:03:31 CEST+0200
0x0000e0008a27f7c0 6012 5208 0x0000000200ad7000
2016-06-06 18:13:22 CEST+0200
0x0000e0008a2c45c0 ?;? 6088 700 0x00000001f4eeb000
2016-06-06 18:10:22 CEST+0200
0x0000e0008a3067c0 4260 6572 0x00000001edf60000
2016-06-06 23:16:37 CEST+0200
0x0000e0008cbc67c0 P??? 2564 700 0x0000000173299000
2016-06-06 18:03:41 CEST+0200
0x0000e0008cf997c0 ??|? 2780 700 0x000000013a0e0000
2016-06-06 18:03:41 CEST+0200
I can't say wether the addresses and pids (the first two ones look bad) are
correct, but the process name field surely does not look good. Any ideas?
Best regards,
Klaus Möller, DFN-CERT
--
Dipl. Inform. Klaus Moeller (Consulting Analysis Training Team)
Phone: +49 40 808077-555, Fax: +49 40 808077-556
DFN-CERT Services GmbH, https://www.dfn-cert.de/, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Wir sind auf der it-sa: 18.-20.10.2016 http://www.it-sa.de
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
