DPM 2012 SP1 Guide to Custom Reporting

The purpose of this guide is to explain how to import a custom DPM SQL report into DPM 2012 SP1.

NVINT handles dozens of DPM server builds throughout the year. Because the reports built into DPM aren’t very informative, we have created a custom DPM report that we use on all of our DPM servers in production. The following scenario is using DPM2012 SP1 with a local instance of SQL on Windows Server 2012 Standard. We use the following five steps when building each new DPM server:

  1. Install SQL Server Report Builder
  2. Create SQL Report User
  3. Create Custom Data Source
  4. Import and Configure the Custom Report
  5. Schedule the DPM Report.

Step 1: Install SQL Server Report Builder

Download SQL Server Report Builder from the Microsoft Download Center to the DPM server.


Open the executable that you downloaded to start the Install wizard. Click “Next.”


Accept the license agreement and click “Next.”


Enter your username and company info and click “Next.”


Use the default Feature Selection and click “Next.”


For the Default Target Server use http://YourDPMServerName/reportserver_MSDPM2012.

Note: If you are not sure about your report server URL you can open reporting services configuration manager, click on Web Service URL and view the information there.


Click “Next” to install report builder.


Once the installation is complete click “Finish” to close the wizard.


Step 2: Create SQL report user

Create a new local user on the DPM server that will be used to access the DPM Database for the custom report.

new user

Next, open SQL Server Management Studio. Expand Security > Logins and right click for “New Login” option.


For the Login name, enter the new user you created. Then click Server Roles.


Under Server Roles put a check in the sysadmin box. Then Click User Mapping.


You can now close SQL Server Management Studio.


3:  Create Custom Data Source.

Open Reporting Services Configuration Manager, click the Report Manager URL tab and click the Report Manager site URL. To access the report manager URL you need to log in with the user you used to install DPM. Normally this is the Local administrator password.



Once the Report Manager site is up we will need to give your new SQL user access to the web site. Click on “Site Setting” in the top right.


Now click on the “Security” tab.


Click on “New Role Assignment” to add your new SQL User.


Add your new SQL user as a “System Administrator” and Click “OK.”


Click “Home” once your new user is added.


Click “Folder Setting”


From the home page, click “New Role Assignment” to add in your SQL user just like you did in the previous security tab.


Once your SQL user is added and has the Browser, Content Manager, My Reports, Publisher and Report Builder roles, click “Home.”


Once you are back at the Home page click on the DPMReports folder again.


Now we will create a new Data Source for your user to access the DPM Database. Click “New Data Source.”


Now create the connection to the DPM Database and test the connection.

Note: If the connection fails you may need to log out of the SQL Reporting Services webpage and log back in as your new SQL user and the connection should work. If the connection still errors out, open up SQL Management Studio and double check your SQL user has the proper permissions to the DPMDB database.


Once the Custom Data Source is created you can close out of SQL Reporting Services web page.

  1. Import and Schedule Custom Report

Open SQL Server Report Builder and open your custom DPM Report. Be sure you log into the report builder as your new SQL user. Right click on Data Sources and click “Add Data Source.”


Type in the name of the Data Source and click “Browse” at the bottom of the window.

data-source properties

Select your “CustomDataSource” and click “Open.”


Your Data Source should now be listed under Data Sources.


Expand Datasets. Right click one of your datasets and click “Dataset Properties.”


For more information on SQL Report Datasets click Here.


Select your Custom Data Source and click “OK.” You must do this for each data set you are using.


You can now click “Run” to test your report and verify that it is working correctly.


Now save your report. Click File > Save As. Click “Recent Sites and Servers.”


Open the DPMReports folder.


I always use the file name “Status” to save the report as the Status report. Click “Save.” If you save the report as something other than one of the built-in DPM Reports, the report will not show up in the DPM console under reporting.


You can now close out of Report Builder.


  1. Schedule the DPM Report


Open the DPM console and click on the reporting tab. Select the “Status” report and click “Edit” under Schedule.


Create the schedule on which you want the report to be run.


Click on the E-mail tab and enter the email addresses you want the report sent to. Select the Report Format and click “OK.”

Note: If you have not already set the SMTP server you will need to go to the management tab and click “Options.” Then select the “SMTP Server” tab and enter your SMTP server information.


Your custom report should now run according to the schedule you configured. If the report does not run according to the schedule you created, you may need to log into the report manager URL and configure the schedule there. I have had issues in the past when creating the schedule in the DPM console and had to use the report manager site to have the correct schedule applied. To do this, first open reporting services configuration manager. Click “Report Manager URL” and then click on the URL. Log in with your DPM report user. Once the webpage is up click on the DPMReports folder.


Click the drop down arrow next to the Status report and click “Manage.”


Click on “Subscriptions.”


From the Subscriptions tab you can either create a New Subscription or Edit an existing subscription.


To create a new subscription, all you need to do is enter an email address in the “To:” field, select the format you want the report delivered to you in, and select the schedule.




The finished report will now be emailed to you. Here is a picture of our custom report. It lists the number of jobs in the critical and warning state, current alert details such as the protection group name of the failed job and affected server, and also jobs with recovery points that have failed more than five times.


By: Kyle VanDyke






















CryptoWall Deleted File Recovery and Malware Analysis

A couple of weeks ago I got a call from a client that one of their employees had clicked on an attachment named “electronic_fund_transfer.zip” in a spam email. Naturally, the employee opened the PDF from within the zip file and then clicked “Run” to launch the executable inside.

In a typical organization, the main concern in such a situation would be what data was exfiltrated from the environment, not the data that was lost due to not having proper backups. You could just wipe the system and restore any lost data from backup, and spend your time figuring out what the malware accomplished while on the system. Well, this client didn’t have working backups in place and the user had also mounted file server shares to his laptop. So, not only did his data get encrypted, some of the data on the file server did as well, with no backups for months of either system.

When the client first contacted me they called it “CryptoDefense” which we can indeed decrypt without issue because there is plenty of data out there on how to do that. Naturally, once we arrived on site, we quickly found out that this was the much more advanced CryptoWall malware that doesn’t store the private key needed to decrypt the files on the local system.

At that point I was between a rock and a hard place because we had initially told them it was possible to recover the encrypted data. However, the majority of resources on the Internet indicate that it’s not possible to recover data at all when CryptoWall is installed as opposed to CryptoDefense. Most file recovery methods suggest using VSS copies to recover the data or backups, otherwise you’re simply out of luck. In these cases, I do not consider paying the data terrorists as an option.

So, as part of our basic Triage process, we obtained memory and disk images. These helped a lot in understanding how this malware works and achieving the ultimate goal of recovering the data.

To work with the malware for this blog post I created a virtual machine, fresh to launch this malware on, to run a few scans and tests.

My first goal was to determine how this malware was encrypting the data and in which method it was deleting the original files. I searched the strings file created from the volatility strings plugin. I used IDA pro on the “vofse.exe” file that does the encryption part (it’s the second file that is downloaded after sicac.exe). The ransomware was simply using the DeleteFile Function to remove the files after making a copying from the original file.

This screenshot is where the ransomware finds the file and creates a copy of it.


Here is a screenshot with the DeleteFile function highlighted.


So, I made a disk image before installing the malware and another after letting the malware run to “encrypt” the files.

First, to get a list of the files it “encrypted” I printed out the list it makes in the registry. To find the registry key that the malware created, look in “HKCU\Software\<unique ID>\ CRYPLIST\” as it contains a list of the encrypted files.

root@BT:~/volatility-master# python vol.py -f win7.vmem –profile=Win7SP1x64 printkey -K “Software\1C1AA48085BD197637A78463CBBE8BC2\CRYPTLIST”

Legend: (S) = Stable   (V) = Volatile


Registry: \??\C:\Users\malware\ntuser.dat

Key name: CRYPTLIST (S)

Last updated: 2014-06-09 12:45:57 UTC+0000




REG_DWORD     C:\Users\malware\Documents\00698_snowmountains_1920x1200.jpg : (S) 2054688515



REG_DWORD     C:\Users\malware\Documents\400 – Linux Software RAID Rebuild.doc : (S) 2054688515

REG_DWORD     C:\Users\malware\Documents\Cisco_2014_ASR.pdf : (S) 2054688515

REG_DWORD     C:\Users\malware\Documents\GrrCON-Challenge.docx : (S) 2054688515

REG_DWORD     C:\Users\malware\Documents\Microsoft SQL Server AlwaysOn Solutions Guide for High Availability and Disaster Recovery.docx : (S) 2054688515

REG_DWORD     C:\Users\malware\Documents\Sophos_ZeroAccess_Botnet.pdf : (S) 2054688515

REG_DWORD     C:\Users\malware\Documents\YARA User’s Manual 1.6.pdf : (S) 2054688515

REG_DWORD     C:\Users\malware\Downloads\00698_snowmountains_1920x1200.jpg : (S) 2054688515



I then opened “GrrCON-Challenge.docx” (one of the encrypted documents) in a hex editor, copied the raw hex values, and searched through both of my disk images, before the malware, and after the malware. While the file itself was removed according to the malware it was still in the same spot on disk at offset 004c000 in both disk images.


Here is the file in the “malwarevm-before.001”:


Here is the “GrrCON-Challenge.docx” document at the same offset 004c000 on the “aftermalwarevm-cryptowall.001”


I also opened the encrypted version of “GrrCON-Challenge.docx” and then searched the “aftermalwarevm-cryptowall.001” to find where it was located on disk to confirm they create a new file compared to the old disk image. I will note one very interesting fact: while I have two versions of the “GrrCON-Challenge.docx” file, the malware only created one encrypted version.


Now that I have confirmed that the malware isn’t fully deleting the files, I want to test it out on some more files to see how much data I can recover.

I ran one of my favorite file recovery tools called R-Studio (Yes, I like it because it’s fast and saves me some time from the more manual solutions available). R-Studio is a very simple program. Basically, all you have to do is mount a drive and scan it, and then choose which file types you want to look for. I just used the default configuration on the “aftermalwarevm-cryptowall.001”. I selected the Microsoft Word 2007 XML Document (.docx) and noticed I had two sets of files. The ones with file names are the encrypted version by CryptoWall and the ones without names are the files that were deleted recoverable from slack space.


Based on the file size and hex values I know “70.docx” is my “GrrCON-Challenge.docx” file, so I clicked on the view process before recovering the file to ensure it’s the proper file from the hex view and not the encrypted file. I was indeed correct because the picture above lists the file header as “PK” which is the proper file header in the docx file.

Listed below is a screenshot of the encrypted file and its header so we know if we are looking at an encrypted file or not.


In my test example all encrypted files start with the header “CE FE” in hex, which will be different on each system that is hit will CryptoWall.

So I recovered all the files and ran a sha256 hash verification to ensure all my recover files matched the original files.

Recovered File Hash Check


Original File Hash Check


I only tested with a few files in the following formats, docx, doc, pdf, and jpg. As a disclaimer with all file recovery some files may not be recoverable if the slack space was overwritten. In each separate case, file recovery will depend on how many files were encrypted, and how much free space the drive had before it had to start overwriting old slack space for new files.

If anyone wants to look at the attachment that launched the attack, here it is, along with the malwr.com automated analysis, which is somewhat helpful. *Note: you have to sign up to download the file, and use at your own risk. I am not responsible for any damages you cause to yourself.


In my client’s case I was able to recover approximately 95% of the files, however based on their actual need we only searched for the critical documents and nothing that was lost from the user’s personal files. Just because ransomware encrypts the data doesn’t mean it’s lost forever because to actually erase the files would be much more time consuming and resource intensive. It also would be impossible to actually zero out the files on a file server because the user doesn’t have the proper permissions to access the raw drive in that method (*If permissions are properly setup that is, and User quotas are in place). If anyone would like the files used in this blog post, I would be happy to share the full images. I would also be happy to accept comments and questions just send me an email to wyattroersma (at) gmail.

If anyone would like to know more about memory forensics I’d recommend pre-ordering this The Art of Memory Forensics http://www.amazon.com/The-Art-Memory-Forensics-Detecting/dp/1118825098. Also if anyone needs assistance with CryptoWall or any other piece of malware please visit nvint.com.

I’d like to thank Andrew Case and Michael Hale Ligh for their advice and review of this blog post write  up. I’d also like to thank DoctorW0rm a Reddit user who found some technical flaws which I have corrected from “CryptoLocker to CryptoDefense”

Why Hosted Group Collaboration Services with NVINT?

NVINT project manager Beth Ostrowski talks about Microsoft Lync and how it helped her improve office communication:


I am always connected:

I can manage my email, contacts, calendar and reminders without even thinking about it.  With the Lync mobile app synchronized with Lync Server 2013, I can receive and send IMs as well.  I can see all of these items whether I am in the office sitting at my desk or cheering at my daughter’s soccer game.  Additionally, if I forget my laptop while out of town on a business trip I can use my iPad or the hotel’s public computer to use Outlook Web Access where, again, I have access to all of the same items, including IM.  There is not a time when I’m not connected.


Connection leads to efficiency:

I can see the presence of my team members and customers and know when they are available or offline.  I don’t waste time leaving voicemails and waiting for callbacks or continuously following up on emails.  I can even tag my contacts so I am notified when their presence changes.  If I know my co-worker is particularly busy and I will be lucky to even ask a question that day, I tag them, and when their presence changes, I ask my question.  Presence saves me time.


Record-keeping – saves me every time!

Lync saves every IM conversation, every Lync meeting that I choose to record and every voicemail as an email in Outlook, including speech to text.  When I can only vaguely remember a particular detail that my customer told me, I can easily search and find the detail in my Conversation History in Outlook.  I don’t have to go back to my customer and ask the question again.  Additionally, I don’t have to take notes while discussing these details over IM because I know Lync is saving them for me.  I can have a natural conversation. 

When my co-worker is explaining a multi-step technical process during a Lync meeting, I can record our meeting and go back to it later to use it as training.  Again, I don’t have to go back to my co-worker and ask questions because I have everything I need in the recording.  I look so smart when I appear to have learned a detailed process the first time!


Lync automatically integrates:

Lync integrates my contacts in Outlook and Lync.  I can quickly pull up a contact in Lync, click on the phone icon and make a call, send an email or start a meeting or IM conversation.  With Lync, I’m also able to schedule meetings and free conferences in my Outlook calendar. My contacts and appointments are always right where I need them, when I need them.


I don’t have to leave my desk to collaborate:

Desktop sharing during Lync meetings allows me to collaborate with others wherever they may be without leaving my desk.  Together, we can work on documents or any other programs that I have open, allowing us to brainstorm on whiteboards, view PowerPoint presentations, etc. quickly and easily. Audio and video conferencing allow me to interact with my coworkers and clients as if they were sitting next to me. I can schedule multi-party audio, video and web conferences, or initiate an impromptu meeting without having to travel or spend time messing around with unreliable conferencing methods. When collaborating is this easy, businesses accomplish more.


Is Microsoft Lync right for your organization?               

If you are considering the purchase of a new phone system, talk to us first about NVINT’s Hosted Lync offering. Hosted Lync can save your business the large capital expense and management of a new phone system, while at the same time adding new features such as secure instant messaging, audio, video or web conferencing, and sharing and collaboration tools.

If you aren’t in the market for a new phone system, but are looking to increase efficiency and collaboration utilizing the many other features Lync offers, call us to take advantage of the scalability of our Lync offering.  Our customers have the ability to implement various features of Lync for your employees depending on how they work.  You don’t pay for more than each employee uses and can easily make changes by user.

We don’t hold our customers to long-term contracts.  We won’t make you sign a one or two-year contract.  Although we can’t imagine it, if Lync isn’t everything you expected it to be, we will terminate your services with 30 days-notice.

Call or click here us to discuss the potential that Lync has to improve communication and efficiency in your organization!

Hyper-V 2012 and 2012 R2 live virtual machine memory acquisition and analysis


In my previous post I went over analyzing Hyper-V saved state files in Volatility  using a tool call vm2dmp. I mentioned some limits of the tool for VM’s on 2012 and later Hyper-V host systems. Another major downside was a limit of 4GB RAM size on the VM, which would cause the tool itself to crash out. However the biggest downside was having to actually pause a running VM to obtain the data with no live acquisition option for anyone who can’t just take a server down in the middle of the day.

Using a tool called LiveKd we now can analyze Windows virtual machines on both the 2012 and 2012 R2 platforms including VM’s with RAM sizes larger than 4GB. LiveKd also brings a major feature that vm2dmpwasn’t capable of, you can use it to dump out the memory of a live VM into Microsoft crash dump format without pausing it. This will be very critical for an incident response analyst that can’t pause VM’s for memory acquisition. LiveKdalso requires that the Debugging Tools for windows be installed on the Hyper-V host itself which can have some impact if you don’t already have them installed.


Requirements for the Hyper-V host

Install the Debugging Tools for Windows

Download LiveKd from Sysinternals and extract to the directory of \Program Files\Microsoft\Debugging Tools for Windows\

Run an elevated command prompt and change the directory to the location of LiveKd.exe

Run livekd.exe (Accept the EULA)

If you haven’t installed symbols for the Hyper-V host, LiveKD will ask if you want it to automatically configure the system to use Microsoft’s symbol server, or you can manually set the symbols yourself.

If you want to list the virtual machines on the server just use the –hvl options and it will list GUIDs and names of running Hyper-V VM’s.

Example: livekd.exe –hvl

livekd -hvl

If you want to create a full crash dump of a virtual machine running on the host system you would run

>livekd.exe –hv (System name or GUID) –p (to pause the system to create a more consistent image) –o (output-file)

Example: livekd.exe –hv DFIR-PC –p –o DFIR-PC.dmp

livekd dump vm

If the virtual machine cannot be paused due to business reasons, you may omit the –p command line option, and create a crash dump from the live running VM. From my testing I can confirm that very little image smearing occurs. For further command line options visit Using LiveKD. Because Volatility  supports the crash dump address space you can then use all the normal plugins.

Once you have converted to a crash dump you then use Volatility’s  Imagecopy plugin to convert the crash dump format to a raw memory dump.

Example: python vol.py –f /dir/crash dump

–profile=/profile/of/vm/ -O /dir/memory.raw

Once the memory dump is in a raw format you can use the raw image in other tools like Redline.

Currently this process is limited to virtual machines running Windows only, in my next blog post I’ll discuss the acquisition process for linux VM’s in Hyper-V 2012 R2.

If anyone has any helpful feedback please DM me on twitter @wyattroersma even more so if you have found something stated here that isn’t accurate.

Other References:


By: Wyatt Roersma

How to Setup Exchange on an iOS device

Hosted Microsoft Exchange includes Mobile support for Blackberry, iPhone, Android, and Windows Mobile devices.  Users enjoy quick access to their synchronized email, contacts, reminders and calendar items via their mobile device when they are on the road.  We are often asked how to set up Exchange on an IOS device and have compiled these easy instructions:

How to set up your Microsoft Exchange ActiveSync account on your iOS device (iPhone / iPad):

1.  If you already have an Microsoft Exchange account on your iOS device and wish to replace it:

Tap Settings > Mail, Contacts, Calendars > Click on Current Exchange email account > Delete Account.

2.  To get started adding an Exchange account, tap Settings > Mail, Contacts, Calendars > Add Account > Microsoft Exchange.


3.a. For iOS BEFORE 6.0, enter the following information in the fields below, then hit Next:

Email:  email@company.com (enter your email address in this format)

Domain: leave blank

Username: email@company.com (enter your email address in this format)
Password: the password you use to login to your Outlook

Description: whatever you would like to describe this account (ex. “My Exchange Account”)

3.b. For iOS 6.0 and later, enter the information in the fields below, then hit Next:


Email:  email@company.com (enter your email address in this format)

Password: the password you use to login to Outlook

Description: whatever you would like to describe this account (ex. “My Exchange Account”)


4.  Your iOS device will now try to locate your Exchange Server. You may need to enter your front-end Exchange Server’s complete address in the Server field. Hit Next.

Hit next to the next screen, and the Server field should appear.

Server: Enter your Server address (ex. mail.nvint.com)


5. Choose which content you would like to synchronize: Mail, Contacts, Calendars, Reminders (Reminders available on iOS 6.0). Tap Save when finished.



Note: To modify your Microsoft Exchange settings, Tap Settings > Mail, Contacts, Calendars, select your Exchange account, and tap Account Info. 

Top 5 Reasons You Should Be Running Microsoft Data Protection Manager In Your Enviroment


Microsoft DPM

DPM was released to the public in 2005.  We have been using DPM since 2007 in our Cloud environment and have seen a tremendous amount of progress with this product over the years.   Microsoft has since moved DPM under the System Center 2012 suite of products.  Today, System Center 2012 DPM has become one of the leading enterprise backup solutions for virtualized environments. DPM has not yet established itself among the big boys of backup, however it is quickly gaining ground.  With the release of System Center 2012, I believe there are some compelling reasons to give DPM a closer look.

Here are my top 5 reasons for running DPM:

ï You have a Windows based environment -  DPM was designed to provide specific protection to Windows based products such as Exchange, SQL, SharePoint, and Virtualization using Hyper-V.  This makes for a more consistent backup and recovery process.  DPM allows an organization to use the same backup and recovery process across multiple workloads.  If your environment is primarily windows based, there is no better cost effective solution on the market.

ï You need quick recovery in your virtualized environments – We have been able to stage the recovery and restore a 30GB database to a new name and location within 10 minutes.  Additionally, you can place that restored data within the original location or in a new location based on your needs.

ï Reliability is important – Microsoft has created this product with alerts and thresholds, which allows automated email of notifications when action is required.  Integration with Operations Manager and third-party monitoring and ticketing systems are also available.

ï You need affordable offsite backup – DPM can be configured to back up the primary DPM server data across the internet to a secondary DPM server at a disaster recovery facility or separate data center.  We have implemented this approach in our data center for many years successfully.  Over the past three years we have offered this same service to our client base as one of the first DPM cloud based service providers hosting an offsite backup solution.  While Microsoft Azure is also an option, it can be challenging to manage with data growth and the cost model can be  difficult to understand.

ï Support frustrations?  – It can be a challenge to get support from the MS Group, but it is easier to reach out to one vendor than to many pointing the finger at one another.  Single vendor support for your environment is valuable.


Data Protection Manager is a part of the Microsoft System Center 2012 Suite.  It provides near continuous data protection and recovery for your Exchange, SQL, SharePoint, virtual servers, file servers, desktops and laptops.  DPM creates and maintains a replica of the data to be protected.  This replica is then synchronized at regular intervals, which you determine, by protection agents that track changes to the data.

After the initial baseline copy of data using the DPM block-based synchronization engine is complete, two parallel processes enable continuous data protection.

DPM captures express full backups using Volume Shadow Copy Service (VSS) and the DPM agent to identify which blocks have changed in the database, and send just the updated blocks or fragments. This translates to the regular full backup, with the DPM server having a complete an up-to-date copy of the data, without the penalty of transmitting everything across the network like a normal full.

Transaction logs are continuously synchronized to the DPM server, as often as every 15 minutes, between express full backups. The log files themselves are replicated by DPM, so you can call this the “incremental backup”.

Geographic redundancy is accomplished with some configuration and a VPN tunnel from site to site.  Once that is established you are able to configure both DPM servers to synchronize across the internet without any additional complicated hardware or software.  Taking the approach of block level backup, it is only the changes of the data sets that need to be synchronized across the internet, saving tremendous costs in internet bandwidth requirements.

It has been our experience that DPM has a well-rounded and affordable solution for the small and medium sized company with various sizes of data sets.  Whether you’re looking for a small backup solution to retire your old backup solution or you’re looking to replace your large scale back up and Disaster recovery program, DPM can be custom fit to your needs.

The new enterprise-friendly features— such as centralized management, certificate-based protection and RBAC—are sought after features from previous versions, making this version a better solution. The reputation of DPM 2012 as the best backup product for Microsoft workloads continues.

With almost 10 years of the product being in the market place, we are happy with the performance and features set and look forward to continuing to serve our customers and partners with their back up and disaster recovery needs.

How to setup an Outlook Profile

NVINT has been hosting Microsoft Exchange since 2005.  

Microsoft Exchange is the most widely deployed email and collaboration solution in the world.  It is also one of the most time-consuming and complex environments to manage within any organization.  NVINT’s Hosted Exchange solution can quickly and easily be implemented into any size organization.  An immediate impact will be seen with lower costs and less administration, while increasing performance and offsetting the risk of unforeseen email system problems.

Hosted Exchange integrates, organizes, and manages email messages, contacts, calendars, tasks, notes, public and private folders, and much more.  While these email items can be accessed via Outlook Web Access (OWA), NVINT’s Hosted Exchange solution allows you to take full advantage of all features of Microsoft Outlook whether you are at your desk, on your mobile phone, or on the web.  Additionally, over the years, we have performed many, many email migrations from other hosted email solutions as well as from customer’s own in-house Exchange platforms.  We have realized there are common questions that customers ask during these migrations regarding accessing email via Outlook.  Here is a response to one of those questions:

How do I Setup an Outlook Profile?

If you currently DO NOT use Microsoft Outlook, skip steps 1-5 and move on to perform steps 6 thru 8 only.

1.  Open the Control Panel ( Start > Control Panel)

Start Menu

2.  Open the “Mail” options

mail icon




  • (Note if you don’t see the options change the “View by:” settings from Category to Small Icons)


3.  Under the “Mail Setup – Outlook” screen Click the “Show Profiles” button.


4.  Click the “Add” button to set up a new profile



5.  Under the “New Profile” enter a Profile name, for example, “nvint2010” (Skip to step 7)

new profile

6.  To setup your Outlook profile for the first time, please launch Outlook for the first time. (Start > All Programs > Microsoft Office > Outlook )

7.  In the “Add New Account” window enter your information: Name, Email, Password, and Retype Password.  Then click “Next”. If you’re unfamiliar with your account information contact your network administrator.

You will see “Configuring”;

Note: You may get another message:

settings configure

Check the box “Don’t ask me about this website again” and click Allow.



8. If everything was properly setup you should see the “Congratulations!” screen with 3 green check mark arrows and the message “Your e-mail account is successfully configured”.  Click “Finish” to complete this setup.


9.  Go back into your Outlook Profile to confirm that it is using the correct profile:

Control Panel > Mail > Show Profiles

Where it says “Always use this profile” make sure that it shows ‘nvint2010’; If it doesn’t, click on the drop-down arrow and select ‘nvint2010’; Click Apply and then OK.

10.  Launch Outlook and the setup process is complete.  It will take some time to sync all of your email, depending on the size of your mailbox.  If you need to shut down your computer, thereby closing Outlook, before all of your email has synced it will just start syncing again when you launch Outlook the next time.


-Created by Beth Ostrowski for NVINT

Analyzing Hyper-V Saved State files in Volatility


Volatility can analyze Hyper-V Virtual Machine’s saved state once the (.bin) and (.vsv) files are converted to a crash dump using vm2dmp http://archive.msdn.microsoft.com/vm2dmp. This tool currently supports up to Hyper-V 2.0 (Windows Server 2008R2 and 2008) files. At this point I do not know of any support for Hyper-V 3.0 (Windows Server 2012 and up). In order for this process to work the VM must either be in a saved state or from a snapshot.


The Virtual Machine configuration (XML file located in the virtual machine folder in the path of the virtual machine) file points to the path of the .bin and .vsv files that are required to convert them to a crash dump.  For example the follow snippet was pulled from one of my virtual machines XML file. Recently I have discovered that any VM that has 4GB of RAM or more will cause the VM2DMP with an error like “ERROR: Failed to map guest block 4096 to any saved state block! ERROR: Element not found.”


<memlocation type=”string”>

V:\ComputerName\Virtual Machines\VM-Instance-ID\VM-Instance-ID.bin


<type type=”string”>Normal</type><vsvlocation type=”string”>

V:\ComputerName\Virtual Machines\VM-Instance-ID\VM-Instance-ID.vsv



Once you obtain the .bin and .vsv files you need to download vm2dmp and place in the dir of the windows debugging toolkit

Download Windows Debugging Toolkit


Now you can use the vm2dmp tool to convert the files into a crash dump.

Create a dump file using virtual machine state files:

vm2dmp.exe -bin C:\dir\ VM-Instance-ID.bin -vsv C:\VM\ VM-Instance-ID.vsv -dmp C:\dir\crashdump.dmp

Create a dump file from virtual machine and snapshot name:

vm2dmp.exe –vm ComputerName -dmp C:\VM\crashdump.dmp

vm2dmp.exe –vm ComputerName –snap “vm ComputerName -snap-SP1” -dmp C:\VM\crashdump.dmp

Note: If you have a downloaded path of the debugging symbols then you can specify –sym and then the directory of the symbols path.

Once you have converted to a crashdump you then use Volatility’s Imagecopy plugin to convert the crashdump format to a raw memory dump. For more information check out


Example: python vol.py –f /dir/crashdump – -profile=profile of vm –O /dir/memory.raw