All Win10 Memory Im...
 
Notifications
Clear all

All Win10 Memory Images do not work - Redline/Volatility

17 Posts
8 Users
0 Likes
9,770 Views
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

Hi guys/gals,
Quick question Did something change in Windows 10 that makes the dump/analysis tools not work like they used to? Volatility cannot identify any of the images through imageinfo and redline says processes, process list, hooks, handles, dlls', etc. were not collected… nothing useful in redline.

Rundown
We've been using winpmem2.0.post4 to dump raw memory images for the last year or so with no issue (Win7 and below). I psexec to the remote machine, drop winpmem, dump ram local on that remote machine, then copy the dump from the remote machine to my machine…

In the past I could run a vol modules imageinfo, pslist, psscan, etc - with expected results. No problems.

About a month ago I noticed Windows 10 images will not parse correctly in Redline or Volatility - they never have. Meaning, redline will interpret the image but the data presented are like 3 areas (timeline and other useless info). In another tab it says items not collected were processes, process list, user id's, like a list of 30 properties NOT COLLECTED - basically all of the good stuff from a memory dump.

Volatility will hang on an imageinfo command. Everytime.

I updated volatility to 2.6 and grabbed the latest redline version - still no dice…

So I started to think maybe it's my dumping tool, for whatever reason. I've tried eNcase, winpmem, magnetramcapture, and they all fail to a degree - meaning the image doesn't produce the expected data.

These are 8 - 16 gig dumps, and I've tried .raw, .elf. and .aff4 (rekall, I know), and I get the same results…

Any ideas?

 
Posted : 01/06/2017 5:18 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

Have you updated the relevant computers to creators update? If so you'll probably have to download another profile for it from the volatility website.

You have to be very specific when chosing a correct profile. see
https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

I can't speak for redline but it's probably because the data structures have changed.

 
Posted : 01/06/2017 5:49 pm
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

"Relevant computers to Creators Update?" I have no idea what we're talking about. Sound like a specific version of volatility - something like a dev version? I'm not sure, so I'll go through and re-install the sift workstation and then update my volatility from here
http//www.volatilityfoundation.org/26

I know about selecting the correct profile - that's not the problem.

I'll come back and post with any progress updates I have after the new install.
Thanks.

P.s. - Do you know how to check if I'm running creators version?? Otherwise I'll just move forward with a fresh install.

Also - even if I was running creators version, this should NOT impact encase's ability to dump RAM.

 
Posted : 01/06/2017 6:26 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

I meant the creators update of windows 10. not a creators update of volatility.

You say you know that you are using the correct profile for windows 10 but there are different profiles for each version of windows 10. The original (Win10x64), a later update (Win10x64_10586), Anniversary update(Win10x64_14393) and lastly creators update (Win10x64_15063). The Win10x64_15063 profile isn't available as part of the Volatility 2.6 release but it may be available if you git clone the current volatility github repository.

Each profile won't work with the other versions correctly. That's what I was trying to point out to you. Your RAM imaging tools are probably correctly imaging the ram but you may not be using the correct profile to examine the image. if you don't know which version of windows 10 you are examining you need to try each one in turn until it works, as per the link I previously posted.

 
Posted : 01/06/2017 10:45 pm
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

First of all, I really appreciate the help. Thank you.

I understand profiles all to well, and I've actually tried them all… to no avail.

Just to be clear,
I'll psexec into the machine and run a system info which gives me the build number… 10.0.14393. So I'll use –profile=Win10x64_14393 … comes back with No base address space, no suitable address space mapping found when I try pslist.
I've tried both x64 and x86 variations, and every windows 10 profile listed here -> https://github.com/volatilityfoundation/volatility/wiki/2.6-Win-Profiles

Most say invalid profile but 1 or 2 say no suitable address space mapping found..

Some conflicts with what you're trying to tell me
If it's a volatility profile issue, why doesn't imageinfo spit me out any result? It just hangs or says cannot find kdbg… Even kdbgscan fails - or hangs rather..

Why is mandiant redline unable to get any usable data from the memory image as well?

Why is our eNCASE forensics suite of tools unable to pull memory images from these Windows10 devices?

I don't think it's a matter of correct profile selection, but if anythings obvious it's that I don't know..
.

Thanks.

 
Posted : 02/06/2017 12:00 am
Hwallbanger
(@hwallbanger)
Posts: 32
Eminent Member
 

I have some follow-up questions to relay regarding your experience that may have not been asked

1. Have they tried any other tools to dump memory?

2. Are they using a 32-bit version of the dumping tool on a 64-bit system?

3. Is there any data in the memory dump or is it all 0s? (ie. If they do a strings analysis on it, does anything pop out)

4. Are they dumping memory locally or across the network?

There is also a good volatility IRC channel on freenode. If you and anyone else can get into it, the volatility developers are usually there to answer questions and give advice.

These question comes from a Friend who has been a Malware Analyst for a Fortune 500 firm and is currently the Lead Red/Blue Team member for a Fortune 1000 firm. He has been doing Memory Forensics for more than twelve (12) years. Upon reading your thread, these are the questions that struck him that needed to be asked.

Hope this helps you in your efforts.

Sincerely,
Hwallbanger

 
Posted : 02/06/2017 1:29 am
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

Very nice. I will definitely jump in the volatility IRC channel..

1. Have they tried any other tools to dump memory?
Yes. WinDD, Magnetramcapture, and I think FTK imager (can't remember it's results specifically). Same results.

2. Are they using a 32-bit version of the dumping tool on a 64-bit system?
They're all 64 bit systems. I specify 64 bit where applicable, but winpmem doesn't care..

3. Is there any data in the memory dump or is it all 0s? (ie. If they do a strings analysis on it, does anything pop out) Yes, plenty of strings/data

4. Are they dumping memory locally or across the network?
I dump the memory local and then file transfer it across the network. I've also tried walking the memory dump file over on a USB, same results..

 
Posted : 02/06/2017 2:29 am
joakims
(@joakims)
Posts: 224
Estimable Member
 

Might be slightly OT, but out of curiosity I was wondering whether a decoded hiberfil.sys from that system also was similarly troublesome to analyze?

 
Posted : 02/06/2017 2:47 am
(@firstnamebob)
Posts: 7
Active Member
Topic starter
 

Great idead but yet another issue we have… we thought about trying this, but we can't get the hiberfil.sys since it's locked open in use, and we don't use the Volume Shadow Service (VSS)…

Most tools able to pull this while the system is up and running utilize VSS, so they don't work in our environment.

ftk, hobocopy, robocopy, none of them worked when we tried.

I might try to pursue this a little harder when I have time but I'd have to find a tool that doesn't use VSS, or take the system offline, boot linux from USB and grab it that way… I don't really want to but at this point I'm not sure how many other options we have. This isn't feasible moving forward but should at least help identify where the problem exists.

Thanks.

 
Posted : 02/06/2017 3:12 am
joakims
(@joakims)
Posts: 224
Estimable Member
 

RawCopy works rather good for that kind of stuff; https://github.com/jschicht/RawCopy

 
Posted : 02/06/2017 3:28 am
Page 1 / 2
Share: