legal contact rss
 

discover your profile

As you'll need to tell Volatility on every comand you issue, what "profile" the dump is made of, a good way to find out the profileis the kbdgscan option.

vol.exe -f vaio_mem.dmp kdbggscan
C:\Users\Admin\Downloads\volatility>vol.exe -f vaio_mem.dmp kdbgscan
Volatility Foundation Volatility Framework 2.4
**************************************************
Instantiating KDBG using: C:\Users\Admin\Downloads\volatility\vaio_mem.dmp WinXP
SP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2c010f0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64
PsActiveProcessHead           : 0x2c38420
PsLoadedModuleList            : 0x2c56730
KernelBase                    : 0xfffff80002a0f000
**************************************************
Instantiating KDBG using: C:\Users\Admin\Downloads\volatility\vaio_mem.dmp WinXP
SP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2c010f0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
PsActiveProcessHead           : 0x2c38420
PsLoadedModuleList            : 0x2c56730
KernelBase                    : 0xfffff80002a0f000
**************************************************
Instantiating KDBG using: C:\Users\Admin\Downloads\volatility\vaio_mem.dmp WinXP
SP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2c010f0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
PsActiveProcessHead           : 0x2c38420
PsLoadedModuleList            : 0x2c56730
KernelBase                    : 0xfffff80002a0f000
**************************************************
Instantiating KDBG using: C:\Users\Admin\Downloads\volatility\vaio_mem.dmp WinXP
SP2x86 (5.1.0 32bit)
Offset (P)                    : 0x2c010f0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP0x64
PsActiveProcessHead           : 0x2c38420
PsLoadedModuleList            : 0x2c56730
KernelBase                    : 0xfffff80002a0f000