Using kdbgscan to i...
 
Notifications
Clear all

Using kdbgscan to identify correct OS Profile

it.dude
(@steveareno)
New Member

When I run "volatility -f MyImageName.mem kdbgscan", the results include multiple OS Profile suggestions. Each Profile lists Instantiating KDBG using:" I do not see anything identify the correct Profile to include in the commands that require a specific Profile name. Thank you.

SteveAreno

Quote
Topic starter Posted : 20/10/2021 5:18 am
Aquachimere
(@aquachimere)
Junior Member
Posted by: @steveareno

When I run "volatility -f MyImageName.mem kdbgscan", the results include multiple OS Profile suggestions. Each Profile lists Instantiating KDBG using:" I do not see anything identify the correct Profile to include in the commands that require a specific Profile name. Thank you.

SteveAreno

Hi,

Normaly  you have to choose the first profil given by the command imageinfo or kdbgscan.

 

ReplyQuote
Posted : 20/10/2021 7:38 am
cmueller-tp
(@cmueller-tp)
New Member

Hi,

you can also try Volatility 3 which is in my experience way more precise than Vol2 when it comes to determining the correct profile (windows.info plugin, Major/Minor line, the second number is the RTM build version).

As an alternative you can do the same with Trufflepig Nexus (demo version for up to 5 GiB images), just analyze the image and take a look at "System Information".

 

Cheers
Chris

 

ReplyQuote
Posted : 20/10/2021 9:11 am
it.dude
(@steveareno)
New Member

@aquachimere

That sounds logical; I will compare the first two values using different .mem files. Thank you.

ReplyQuote
Topic starter Posted : 20/10/2021 6:08 pm
it.dude
(@steveareno)
New Member

@cmueller-tp 

On my Ubuntu 20.04 PC, I used "apt-get install volatility." I downloaded Volatility 3 and will try to install it when I am that PC. Thank you.

 

ReplyQuote
Topic starter Posted : 20/10/2021 6:11 pm
Share: