Using kdbgscan to i...
 
Notifications
Clear all

Using kdbgscan to identify correct OS Profile

5 Posts
3 Users
0 Likes
1,800 Views
steveareno
(@it-dude)
Posts: 16
Eminent Member
Topic starter
 

When I run "volatility -f MyImageName.mem kdbgscan", the results include multiple OS Profile suggestions. Each Profile lists Instantiating KDBG using:" I do not see anything identify the correct Profile to include in the commands that require a specific Profile name. Thank you.

SteveAreno

 
Posted : 20/10/2021 4:18 am
(@aquachimere)
Posts: 32
Eminent Member
 
Posted by: @steveareno

When I run "volatility -f MyImageName.mem kdbgscan", the results include multiple OS Profile suggestions. Each Profile lists Instantiating KDBG using:" I do not see anything identify the correct Profile to include in the commands that require a specific Profile name. Thank you.

SteveAreno

Hi,

Normaly  you have to choose the first profil given by the command imageinfo or kdbgscan.

 

 
Posted : 20/10/2021 6:38 am
(@cmueller-tp)
Posts: 3
New Member
 

Hi,

you can also try Volatility 3 which is in my experience way more precise than Vol2 when it comes to determining the correct profile (windows.info plugin, Major/Minor line, the second number is the RTM build version).

As an alternative you can do the same with Trufflepig Nexus (demo version for up to 5 GiB images), just analyze the image and take a look at "System Information".

 

Cheers
Chris

 

 
Posted : 20/10/2021 8:11 am
steveareno
(@it-dude)
Posts: 16
Eminent Member
Topic starter
 

@aquachimere

That sounds logical; I will compare the first two values using different .mem files. Thank you.

 
Posted : 20/10/2021 5:08 pm
steveareno
(@it-dude)
Posts: 16
Eminent Member
Topic starter
 

@cmueller-tp 

On my Ubuntu 20.04 PC, I used "apt-get install volatility." I downloaded Volatility 3 and will try to install it when I am that PC. Thank you.

 

 
Posted : 20/10/2021 5:11 pm
Share: