Volatility.exe suggests two profiles for XP memory dump. Which one should I use?

Question

Volatility suggests two profiles for XP memory dump. Which one should I use for further investigation? I am a beginner for the volatility.

score 3 · Accepted Answer · answered May 16 '18 at 07:16

You should try both!

If memory addresses and PID's appear with question marks around them, you should probably switch to the other profile.

The problem is volatility can recognize that it's a certain Windows XP release, but the identifiable properties of these 2 XP Versions overlap, and make them harder to distinguish.

When executing plugins such as connscan or proclist, the results might be a bit obscure when using the wrong profile, because the actual locations in memory of these objects might differ between the XP Versions.

You'll notice pretty fast if you're using the wrong profile.

Volatility.exe suggests two profiles for XP memory dump. Which one should I use?

1 Answers1