Environment
- CBC Sensor: 3.5 and above
- CBC Console: All versions
- MS Windows: 8.1 and later versions
Symptoms
Analyzing a dump file generated by Live Response utility "memdump" cannot be processed by Volatility or Rekall analyzers.
Cause
CBC Windows 3.5 sensors changed it's MemDump implementation on Windows 8.1 and above to use a safer Microsoft API approach. The Microsoft API only collects userspace memory pages when the OS is booted in "Debug" mode; and even then, it's doesn't capture what's consider a "complete" dump file. Tools like DebugDiag and Volatility don't work with the "incompleteness" of the memdump file.
Resolution
Memdump will correctly include both user/kernel memory and can be viewed/analyzed by WinDbg analyzer. There are also two workarounds to use Volatility or Rekall analyzers:
- Push a 3rd party Memory Dump tool that gathers a full dump to the endpoint via Live Response and use that instead of our MemDump
- Use Windbg or another tool besides Volatility that can handle dumps that do not include NULL memory space.
Related Content