This post will share an example to run the two volatility terminal commands including kdbgscan and kprcscan.
Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU) (Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html
Basic intro about these two commands :
kdbgscan
This command is used to scan for potential KDBG structures and is meant to positively identify the correct profile of the system and the correct KDBG (kernel debugger block) address. It simply scans for KDBG header signatures linked to the profiles in Volatility.
Usage :
python vol.py --profile=Win7SP0x86 -f filename.raw kdbgscan
Screen shot executing the above command shown below :
(CLICK TO ENLARGE) |
kpcrscan
This command is used to scan for potential KPCR(Kernel Processor Control Region) structures. A KPCR is a data structure used by the kernel to store the processor-specific data. Kpcrscan searches for and dumps potential KPCR values. On a multi-core system, each processor has its own KPCR. Therefore, ideally one should see at least as many KPCR addresses as there are processors on the machine from which the memory dump was acquired.Usage as follows :
python vol.py --profile=Win7SP0x86 -f win_image.raw kpcrscan
This command is used to scan for potential KPCR(Kernel Processor Control Region) structures. A KPCR is a data structure used by the kernel to store the processor-specific data. Kpcrscan searches for and dumps potential KPCR values. On a multi-core system, each processor has its own KPCR. Therefore, ideally one should see at least as many KPCR addresses as there are processors on the machine from which the memory dump was acquired.Usage as follows :
python vol.py --profile=Win7SP0x86 -f win_image.raw kpcrscan