Nicebear / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Unable to run imageinfo on 8gb memory dump #412

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Used Dumpit to acquire memory image  
2.
3. Not sure if im doing anything wrong when examaning this big of an image

What is the expected output? What do you see instead?
    I have taken 2 memory dumps (using Dumpit) of a Windows 2008 R2 SP1 x64 server.It will stop at the line DTB: 0xXXXXXXX and will not finish no matter how long I let it run (i left it running overnight). It will never give me the KDGB thru Image local time...

What version of the product are you using? On what operating system?
    I am using Volatility standalone 2.2. Windows 2008 R2 SP1 x64 server

Please provide any additional information below.
    I am able to use the same Volatility standalone 2.2 on a system that has 4gb of memory. I have also tried to run the netscan plugin and it runs for a few minutes then exits to the command prompt returning nothing but the row headers. I know the profile (Win2008SP1x64) so i have supplied this when running the plugins like pslist but this only returns 2 entries then exits to the command prompt. 

Original issue reported on code.google.com by billshaf...@gtempaccount.com on 19 Apr 2013 at 1:26

GoogleCodeExporter commented 8 years ago
Hi, 

It seems like this is not the first time someone has reported something like 
this regarding win64dd/dumpit and large memory samples [1].  If you can, please 
try another memory acquisition tool [2] and see if you get the same error.  Let 
us know what happens.

[1] http://code.google.com/p/volatility/issues/detail?id=401

[2] http://www.forensicswiki.org/wiki/Tools:Memory_Imaging#Windows_Software

Original comment by jamie.l...@gmail.com on 19 Apr 2013 at 1:42

GoogleCodeExporter commented 8 years ago
Hi Bill,

Did you have a chance to reacquire a sample from that machine for comparison?  
In the similar issue I linked (issue 401) the person who reported the issue 
tried again successfully with Windows Memory Reader which can be found here: 
http://cybermarshal.com/index.php/cyber-marshal-utilities/windows-memory-reader

I suspect that your issue is the same as theirs, especially since you are using 
the same tool (win64dd and dumpit are from the same author and most likely 
contain the same code) and are acquiring the same OS (Win 7 x64 and Win 2008 R2 
x64 have the same kernel) both with memory larger than 4GB.  Please let us know 
if you have any update, otherwise I will just close this issue by the end of 
the week.  Thanks!

Original comment by jamie.l...@gmail.com on 23 Apr 2013 at 1:33

GoogleCodeExporter commented 8 years ago
Hello Jamie,

First let me say thank you for your responses..

Yes, I have been able to get an image greater the 8 gig to work by using 
Windows Memory Reader and FTK Imager. Thanks for the links

On a side note:

From the testing I have been doing with these 2 images, the one made by WMR and 
the one from FTK I have not been able to get the netscan command to show me 
anything other the field headers. I am running the following command:

volatility-2.2.standalone.exe --profile=Win2008R2SP1x64  -f memimage.dmp  
netscan

FYI - I have let this run on both images for 1 hour then I just killed the 
command. (I was waiting to see if 2.3 had better luck with the netscan command)

Am I doing anything wrong, could it still be the images,  as I see the command 
should work for version 2.2?

Thanks again for your help,

Bill 

Original comment by billshaf...@gtempaccount.com on 23 Apr 2013 at 3:23

GoogleCodeExporter commented 8 years ago
Hi Bill, 

Does psscan work for the two images on which netscan failed? 

Also, could you send me the c:\windows\system32\drivers\tcpip.sys file from the 
machine's disk (if don't have access to the disk, you can use volatility's 
moddump plugin to pull it from memory). 

If psscan works and netscan doesn't then there's no issue with the scanning 
infrastructure per se, just the signatures or structures we use for network 
info...and tcpip.sys is what I need to verify. 

I know some people have used Win2008R2SP1x64 with netscan before with success, 
so it also could be your memory image...but we'll see. 

Original comment by michael.hale@gmail.com on 23 Apr 2013 at 5:51

GoogleCodeExporter commented 8 years ago
Hello Michael,

Here is what I did for testing. I ran PSSCAN on both images and it returned 
nothing but the field headers (I am able to run PSTREE,PSLIST, DLLLIST, 
HANDLES, GETSIDS, ENVARS, DRIVERSCAN to name some of them) So, I decided to 
take another image using the two utilities to see if the images were bad since 
I was not able to run PSSCAN.

FTK reimage
    Running PSSCAN I was able to obtain information rather quickly
    Running NETSCAN I was able to obtain information rather quickly

Windows Memory Reader reimage (command: wmr.exe c:\image.dmp)
    Running PSSCAN I was able to start pulling information after about 10
        minutes of running but was getting about 1 entry (row) every 3 to 4 minutes. Very slow
    Running NETSCAN I was able to start pulling information after about 14        minutes of running but was getting about 1 entry (row) every 5 to 10        minutes. Super slow
        This has been running for 25 minutes and I have only 2 IPv4 and IPv6  addresses showing

I am not sure why the other 2 images from this same server have issues but I 
guess I will just take 2 images using FTK Imager (since it appears to return 
faster results)

If you would still like the tcpip.sys I can upload it for you

Thanks for all the help!

If I can be of assistance for anything please let me know

Thanks,

Bill

Original comment by billshaf...@gtempaccount.com on 23 Apr 2013 at 7:42

GoogleCodeExporter commented 8 years ago
Closing this issue and will follow up via email to make sure nothing else is 
going wrong. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 5:41