Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

CBC: Unable to analyze a memdump-generated dump file with Volatility or Rekall analyzers

CBC: Unable to analyze a memdump-generated dump file with Volatility or Rekall analyzers

Environment

  • CBC Sensor: 3.5 and above
  • CBC Console: All versions
  • MS Windows: 8.1 and later versions

Symptoms

Analyzing a dump file generated by Live Response utility "memdump" cannot be processed by Volatility or Rekall analyzers.

Cause

CBC Windows 3.5 sensors changed it's MemDump implementation on Windows 8.1 and above to use a safer Microsoft API approach. The Microsoft API only collects userspace memory pages when the OS is booted in "Debug" mode; and even then, it's doesn't capture what's consider a "complete" dump file. Tools like DebugDiag and Volatility don't work with the "incompleteness" of the memdump file.
 

Resolution

Memdump will correctly include both user/kernel memory and can be viewed/analyzed by WinDbg analyzer. There are also two workarounds to use Volatility or Rekall analyzers:
  1.  Push a 3rd party Memory Dump tool that gathers a full dump to the endpoint via Live Response and use that instead of our MemDump
  2.  Use Windbg or another tool besides Volatility that can handle dumps that do not include NULL memory space.

Related Content


Was this article helpful? Yes No
0% helpful (0/3)
Article Information
Author:
Creation Date:
‎01-20-2021
Views:
858
Contributors