search

pi-2r / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Volatility fails to analyse Windows memory dumps > 4GB #401

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi,

I always have problems when I want to analyze Windows 7 x64 memory dumps larger 
than 4GB.  All commands like psscan, psxview, etc does not work.  I take the 
dumps using win64dd and analyze them under Linux x64.  Using the following 
image:

Volatile Systems Volatility Framework 2.3_alpha
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/opt/test.dump)
                      PAE type : PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002ff20a0
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002ff3d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2013-03-22 13:13:45 UTC+0000
     Image local date and time : 2013-03-22 14:13:45 +0100

I see the following output:

>>>> pslist <<<<<<
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  
Wow64 Start                Exit                
------------------ -------------------- ------ ------ ------ -------- ------ 
------ -------------------- --------------------
0x0000fa8006940990 System                    4      0    154 -------- ------    
  0 2013-03-22 07:31:31                      
0x0000fa8007dd5b30                      99...9      0 10...8 -------- ------    
  1                                          
------------------------------------------------------

>>>>> psscan <<<<<<
Offset(P)          Name                PID   PPID PDB                Time 
created         Time exited         
------------------ ---------------- ------ ------ ------------------ 
-------------------- --------------------
0x0000000106140990 System                4      0 0x0000000000187000 2013-03-22 
07:31:31                      
0x0000000206140990 System                4      0 0x0000000000187000 2013-03-22 
07:31:31                      
------------------------------------------------------

>>>>> psxview <<<<<<
Offset(P)          Name                    PID pslist psscan thrdproc pspcid 
csrss session deskthrd
------------------ -------------------- ------ ------ ------ -------- ------ 
----- ------- --------
0x0000000106140990 System                    4 True   True   False    False  
False False   False   
0x000000022cdd5b30                      99...9 True   False  False    False  
False False   False   
0x0000000206140990 System                    4 False  True   False    False  
False False   False   

The only visible processes are System processes. No other processes, network 
sockets, ... is visible.

The system used for analysis is Debian Linux x64 squeeze:

$ uname -a
Linux its-store01 2.6.32-5-amd64 #1 SMP Mon Oct 3 03:59:20 UTC 2011 x86_64 
GNU/Linux

$ file test.dump 
test.dump: data

$ ls -l test.dump 
-rwxr-xr-x 1 rreuter rreuter 9361686528 Mar 22 15:01 test.dump

Using the same installation of volatility with images <= 4GB works as expected. 
The used version of volatility is the latest SVN as of today.

Original issue reported on code.google.com by m.schmid...@gmail.com on 3 Apr 2013 at 2:10

GoogleCodeExporter commented 9 years ago 
Hello, 

I can say with confidence that there's no specific issue with volatility 
analyzing images > 4GB. All our devs and users for quite some time now have 
been able to do it, even some with 80+ GB sizes. 

So I would first recommend trying to switch acquisition tools. Some just don't 
handle large amounts of RAM well. There are a lot of other free options besides 
win64dd out there. Take a look at this page which identifies many of them:

http://www.forensicswiki.org/wiki/Tools:Memory_Imaging#Windows_Software

Give some of the other tools a shot and let us know how it goes.

Original comment by michael.hale@gmail.com on 3 Apr 2013 at 4:32

GoogleCodeExporter commented 9 years ago 
Hi Michael,

thanks for the hint.  Once I used Windows Memory Reader I've able to analyze 
dumps > 4GB. So there's definitely no bug in volatile!  Please close the issue 
and sorry for the noise.

Original comment by m.schmid...@gmail.com on 4 Apr 2013 at 5:40

GoogleCodeExporter commented 9 years ago 
Perfect, thanks for the update.

Original comment by michael.hale@gmail.com on 4 Apr 2013 at 6:14