CBC: Unable to analyze a memdump-generated dump file with Volatility or Rekall analyzers
CBC Sensor: 3.5 and above
CBC Console: All versions
MS Windows: 8.1 and later versions
Analyzing a dump file generated by Live Response utility "memdump" cannot be processed by Volatility or Rekall analyzers.
CBC Windows 3.5 sensors changed it's MemDump implementation on Windows 8.1 and above to use a safer Microsoft API approach. The Microsoft API only collects userspace memory pages when the OS is booted in "Debug" mode; and even then, it's doesn't capture what's consider a "complete" dump file. Tools like DebugDiag and Volatility don't work with the "incompleteness" of the memdump file.
Memdump will correctly include both user/kernel memory and can be viewed/analyzed by WinDbg analyzer. There are also two workarounds to use Volatility or Rekall analyzers:
Push a 3rd party Memory Dump tool that gathers a full dump to the endpoint via Live Response and use that instead of our MemDump
Use Windbg or another tool besides Volatility that can handle dumps that do not include NULL memory space.