CBC: Unable to analyze a memdump-generated dump file with Volatility or Rekall analyzers
search cancel

CBC: Unable to analyze a memdump-generated dump file with Volatility or Rekall analyzers

book

Article ID: 290888

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Analyzing a dump file generated by Live Response utility "memdump" cannot be processed by Volatility or Rekall analyzers.

Environment

  • CBC Sensor: 3.5 and above
  • CBC Console: All versions
  • MS Windows: 8.1 and later versions

Cause

CBC Windows 3.5 sensors changed it's MemDump implementation on Windows 8.1 and above to use a safer Microsoft API approach. The Microsoft API only collects userspace memory pages when the OS is booted in "Debug" mode; and even then, it's doesn't capture what's consider a "complete" dump file. Tools like DebugDiag and Volatility don't work with the "incompleteness" of the memdump file.
 

Resolution

Memdump will correctly include both user/kernel memory and can be viewed/analyzed by WinDbg analyzer. There are also two workarounds to use Volatility or Rekall analyzers:
  1.  Push a 3rd party Memory Dump tool that gathers a full dump to the endpoint via Live Response and use that instead of our MemDump
  2.  Use Windbg or another tool besides Volatility that can handle dumps that do not include NULL memory space.
Powered by Wolken Software