how to find a file in memory using volatility

Question

There is an IMViewer.exe process in memory and open them file IMMAIL.IMM

vol.py -f d:\dump\dump\CRM-20180416-165859.dmp --profile=Win2012R2x64_18340 --kdbg=0xf80173c3f8e0 dlllist -p 8256 > dlllist.txt 

---

IMViewer.EXE pid:   8256
Command line : "C:\Program Files (x86)\Inbit\Inbit Messenger Server\IMViewer.exe" "C:\Program Files (x86)\Inbit\Inbit Messenger Server\USER_ACCT\00001\IMMAIL.IMM"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base                             Size          LoadCount Path
------------------ ------------------ ------------------ ----
0x0000000000400000           0x208000                0x0 C:\Program Files (x86)\Inbit\Inbit Messenger Server\IMViewer.exe
0x00007ffca1a20000           0x1ad000                0x0 C:\Windows\SYSTEM32\ntdll.dll
0x0000000077850000            0x4b000                0x0 C:\Windows\SYSTEM32\wow64.dll
0x00000000777e0000            0x68000                0x0 C:\Windows\system32\wow64win.dll
0x00000000777d0000             0x9000                0x0 C:\Windows\system32\wow64cpu.dll

Execution

vol.py -f d:\dump\dump\CRM-20180416-165859.dmp --profile=Win2012R2x64_18340 --kdbg=0xf80173c3f8e0 dumpfiles -r IMM$ -i --name -D FileHandles/

does not find the file .IMM in memory.

The file IMMAIL.IMM is open and I can use it, but it was deleted from the disk and it could not be restored. Program IMViewer.EXE - Viewer and I cannot save the file IMMAIL.IMM. I wanted to find the file IMMAIL.IMM in memory and save it using dumpfiles, but the file can't be found. What can I do to find a file IMMAIL.IMM in memory?

Answer 1

Kinda new to this but this may help `Vol.py -f {file} --profile{profile} filescan | grep .ILL [ or the absoulute name fo the program instead ] and extract the file