We will use the profile Win7SP1圆4 identified earlier and specify the pslist plugin, as seen in the command below: volatility -f victim.raw -profile=Win7SP1圆4 pslist We can identify the process ID (PID) of the SearchIndexer process, by using the pslist plugin provided by volatility. The suggested profile is Win7SP1圆4 and we can therefore say that the OS of this dump file is Windows. Volatility will suggest the recommended profile and when running any other command on this memory image we need to provide the profile as well. Once this command is run, Volatility will identify the system the memory image was taken from, including the operating system, version, and architecture. When we have the memory image file we want to analyze, we first need to use the command see below: $ volatility -f victim.raw imageinfo Volatility Foundation Volatility Framework 2.6 INFO : bug : Determining profile based on KDBG search. What is the Operating System of this Dump file? (OS name)
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |