Digital forensics chronicles: image identification issues on large memory dump with Volatility
Spoiler: shame on DumpIT!
Some days ago, I was busy with a forensic analysis on a Windows server.
The machine was a Windows Server 2008 R2, used as webserver, with 24 GB of RAM.
But during memory analysis with Volatility, I hit a problem.
The image identification process takes to long, and the found profile not work.
A more specific analisys using kdbgscan returns a strange output:
process list is almost empty, and there's only 50 kernel modules in the module list
************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP0x64 (6.1.7600 64bit) Offset (V) : 0xf9ed41a54110 Offset (P) : 0x1a54110 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf9ed41a540e8 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.23677.amd64fre.win7sp1_ldr. PsActiveProcessHead : 0xfffff80001a8b420 (2 processes) PsLoadedModuleList : 0xfffff80001aa9730 (50 modules) KernelBase : 0xfffff80001867000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001a55d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP0x64 (6.1.7600 64bit) Offset (V) : 0xf9ed41a54110 Offset (P) : 0x1a54110 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64_23418 Version64 : 0xf9ed41a540e8 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.23677.amd64fre.win7sp1_ldr. PsActiveProcessHead : 0xfffff80001a8b420 (2 processes) PsLoadedModuleList : 0xfffff80001aa9730 (50 modules) KernelBase : 0xfffff80001867000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001a55d00 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP0x64 (6.1.7600 64bit) Offset (V) : 0xf9ed41a54110 Offset (P) : 0x1a54110 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP0x64 Version64 : 0xf9ed41a540e8 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.23677.amd64fre.win7sp1_ldr. PsActiveProcessHead : 0xfffff80001a8b420 (2 processes) PsLoadedModuleList : 0xfffff80001aa9730 (50 modules) KernelBase : 0xfffff80001867000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001a55d00 (CPU 0)
The lack of kdbgscan information suggest that the memory sample is corrupted.
The memory sample has been indeed captured with free version of DumpIT that, in my experience, has many issues with 64 bit systems starting with Windows 7 and almost always fails if the machine has 8GB or more of RAM.
The same acquisition, perfomed using FTK Imager, returns this kdbgscan information:
Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001a54110 Offset (P) : 0x1a54110 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2008R2SP1x64 Version64 : 0xf80001a540e8 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.23677.amd64fre.win7sp1_ldr. PsActiveProcessHead : 0xfffff80001a8b420 (123 processes) PsLoadedModuleList : 0xfffff80001aa9730 (147 modules) KernelBase : 0xfffff80001867000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001a55d00 (CPU 0) KPCR : 0xfffff880009bf000 (CPU 1) KPCR : 0xfffff8800205d000 (CPU 2) KPCR : 0xfffff880020ce000 (CPU 3) KPCR : 0xfffff8800213f000 (CPU 4) KPCR : 0xfffff880021b0000 (CPU 5) ************************************************** Instantiating KDBG using: Kernel AS Win2008R2SP1x64 (6.1.7601 64bit) Offset (V) : 0xf80001a54110 Offset (P) : 0x1a54110 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win7SP1x64_23418 Version64 : 0xf80001a540e8 (Major: 15, Minor: 7601) Service Pack (CmNtCSDVersion) : 1 Build string (NtBuildLab) : 7601.23677.amd64fre.win7sp1_ldr. PsActiveProcessHead : 0xfffff80001a8b420 (123 processes) PsLoadedModuleList : 0xfffff80001aa9730 (147 modules) KernelBase : 0xfffff80001867000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 1 KPCR : 0xfffff80001a55d00 (CPU 0) KPCR : 0xfffff880009bf000 (CPU 1) KPCR : 0xfffff8800205d000 (CPU 2) KPCR : 0xfffff880020ce000 (CPU 3) KPCR : 0xfffff8800213f000 (CPU 4) KPCR : 0xfffff880021b0000 (CPU 5)
Much better, right?
Bottom line
When you need to acquire a memory dump from a machine with more than 8Gb, use FTK Imager or WinPmem, not DumpIT!
References and further readings
- Volatility, my own cheatsheet (Part 1): Image Identification
- ACCESS DATA FTK Imager Lite Download
- Comae Toolkit (contains DumpIT)