Forums
Main Category
General (Technical,...
All Win10 Memory Im...
 
Notifications
Clear all

All Win10 Memory Images do not work - Redline/Volatility

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 7 years ago
17 Posts
8 Users
0 Likes
9,892 Views
RSS
 firstnamebob
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

Very nice.

Worked like a charm. The copy is larger than the original, but I suppose that's expected, and not a concern unless it was smaller..

Anywho. I'll get it converted over and go from there. I'll post any progress or update I have in the meantime.

Thanks.

 
Posted : 02/06/2017 4:52 am
 chrism
(@chrism)
Posts: 97
Trusted Member
 

Have you tried using the latest version of Winpmem?

Have you tried analysing the memory dump using Rekal?
rekal -f windows-10-image.aff4 imageinfo

 
Posted : 07/06/2017 4:08 pm
 firstnamebob
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

So, what' I've realized is the way I was using winpmem is the problem.

Yes, to answer your question I'm using winpmem 2.1 post 4.

Anywho, I've always used winpmem and specified the output filename and file format extension. For example, when I run the command in the past I would do;

'winpmem.exe –format raw -o /temp/memdump.raw'

That would produce the file memdump.raw which would parse in volatility just fine…

This worked fine for windows 7 / server 2012, etc. But starting with Windows 10 images, volatility is no longer able to find the kdbg, or identify the imageinfo, etc. when I dump with winpmem in that CLI format…

The fix run the command without specifying output file or extension type - 'winpmem.exe –format raw -o /temp/'

That dumps the output straight into the /temp/ directory where we will find a number of .sys files, some other files, along with an unknown file type titled 'PhysicalDump" that is 9GB (this is the raw dump).

Couple questions
1) Why isn't the physicaldump any recognizable format? (.raw, .aff4, etc.?)

2) Why do I have to dump to directory and then manually pull the PhysicalDump file for parsing? Why can't volatility find this file in the dump directory or .aff4 container automatically as it seemingly did before?

 
Posted : 09/06/2017 7:45 pm
jaclaz
 jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yes, to answer your question I'm using winpmem 2.1 post 4.

Relevant
https://github.com/google/rekall/issues/137

jaclaz

 
Posted : 09/06/2017 11:11 pm
 jsmacedo
(@jsmacedo)
Posts: 5
Active Member
 

Hello guys,
I had the same problem.
My solution was to read the Windows 10 memory dump, using a Kali Linux distribution. It worked like a charm, without any kind of fork.
I spent whole day running in Windows and receiving errors, but using in Linux, everything was fine and I could read my dumps! )

Regards!

 
Posted : 27/07/2017 4:49 am
 gorvq7222
(@gorvq7222)
Posts: 229
Reputable Member
 

As I know that Responder Pro 3.1.3 now could analyze memory dump acquired from Windows 10. You guys could take look at the screenshots in below link
http//www.cnblogs.com/pieces0310/p/7719286.html

Also you could request a 30day trial from Counter Track as below link
https://shop.countertack.com/trial/?hsCtaTracking=01ff0f39-5c07-41d0-822e-022838330935%7Ca8ad1293-187d-46e1-a1a2-6ec020139e8a

 
Posted : 23/10/2017 7:18 am
jaclaz
 jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also you could request a 30day trial from Counter Track as below link

Or maybe better use a link with the tracking/referral part removed roll
https://shop.countertack.com/trial/

jaclaz

 
Posted : 23/10/2017 7:10 pm
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: