@volatilityfoundation Volatility requires code to be developed / written and requires the user to know the kernel version of memory dumps being analyzed see;

volatilityfoundation/volatility#493
volatilityfoundation/volatility#490
volatilityfoundation/volatility#489
volatilityfoundation/volatility#473
volatilityfoundation/volatility#451
volatilityfoundation/volatility#383

@google Rekal is better however there exists problems due to the lack of support for PDB client tools on Linux or other platforms. And it still requires users to extract disk files or have them on hand or pre-generated.

google/rekall#305
google/rekall#228

The use of hard coded profiles and names or even extracting these profiles from disk binaries place an excessive burden on users and inhibit automation (i.e. they require knowledge about the memory dumps version). The user of forensic analsysis tools does not often perform memory dumping and may have been provided a dump without that information, automating this process will streamline and reduce errors in these case also.

As this information is technically not required and consideration the release cycle of Windows is now quite frequent. Supporting these tools seems like it would help a lot of people and robot's get their jobs done without failure.

This will have the added side effect of expanding the existing capability of these tools considerably due to the expansive information included in the symbol information. Future versions may expand support for additional modules beyond what's required (essentially only NT! is needed for the purposes of Vola/Rekal).

Hello,
I tried to run Test-AllVirtualMemory both locally and against a domain joined machine. But I am getting:

ResultList ResultDictionary ExecutionTime

{}

I am really interested in your detection approach. Would you be so kind as to provide me with a very brief tutorial on how to start using you code? (I went through the source code comments already...)

Thank you in advance.

Thank you.

Sometimes, when I'm interested in analyzing a file, the version I currently happen to have on hand won't have public symbols available, while other versions do (e.g. Windows Defender executables). If you know the right timedatestamp & size, you can just download the binary from the symbol server, but that's not necessarily an easy thing to find (even if you already have the PDB!). It would be great to be able to query for a filename and get back a list of versions with symbols available on the MS symbol store - and it seems like pdb2json's database should have everything needed to provide that. Is it possible?

1. I could bring in the whole stack for https://github.com/ShaneK2/inVtero.net as a dependency

   1. would be great for users probably complicate stuff too much.

2. Leverage kernel 2MB page use

   1. Since Windows kernel (all versions x64?) is going to use 2MB pages, I can/should be able to use this to scan physmem in a naive way.