volatilityfoundation · brian-mckinney · Jun 3, 2026
diff --git a/volatility3/framework/layers/crash.py b/volatility3/framework/layers/crash.py
@@ -127,7 +127,7 @@ def _load_segments(self) -> None:
                 )
                 offset += run.PageCount
 
-        elif self.dump_type == 0x05:
+        elif self.dump_type == 0x05 or self.dump_type == 0x06:
             summary_header = self.get_summary_header()
             seg_first_bit = None  # First bit in a run
             seg_first_offset = 0  # File offset of first bit
@@ -254,14 +254,16 @@ def check_header(
 
 class WindowsCrashDump64Layer(WindowsCrashDump32Layer):
     """A Windows crash format TranslationLayer.
-    This TranslationLayer supports Microsoft complete memory dump files.
-    It currently does not support kernel or small memory dump files.
+    This TranslationLayer supports Microsoft complete memory dump files
+    (DumpType=1), full bitmap dump files (DumpType=5), and kernel bitmap
+    dump files (DumpType=6). It does not support legacy summary kernel
+    dumps (DumpType=2) or small memory (triage) dumps (DumpType=4).
     """
 
     VALIDDUMP = 0x34365544
     crashdump_json = "crash64"
     dump_header_name = "_DUMP_HEADER64"
-    supported_dumptypes = [0x1, 0x05]
+    supported_dumptypes = [0x1, 0x05, 0x06]
     headerpages = 2
 
 

diff --git a/volatility3/framework/plugins/windows/cmdscan.py b/volatility3/framework/plugins/windows/cmdscan.py
@@ -152,6 +152,7 @@ def get_command_history(
 
             sections = cls.get_filtered_vads(conhost_proc)
             found_history_for_proc = False
+            command_history = None
             # scan for potential _COMMAND_HISTORY structures by using the CommandHistorySize
             for max_history_value in max_history:
                 max_history_bytes = struct.pack("H", max_history_value)

diff --git a/volatility3/framework/plugins/windows/crashinfo.py b/volatility3/framework/plugins/windows/crashinfo.py
@@ -36,11 +36,13 @@ def _generator(self, layer: crash.WindowsCrashDump32Layer):
             dump_type = "Full Dump (0x1)"
         elif header.DumpType == 0x5:
             dump_type = "Bitmap Dump (0x5)"
+        elif header.DumpType == 0x6:
+            dump_type = "Kernel Bitmap Dump (0x6)"
         else:
-            # this should never happen since the crash layer only accepts 0x1 and 0x5
+            # this should never happen since the crash layer only accepts 0x1, 0x5, and 0x6
             dump_type = f"Unknown/Unsupported ({header.DumpType:#x})"
 
-        if header.DumpType == 0x5:
+        if header.DumpType in (0x5, 0x6):
             summary_header = layer.get_summary_header()
             bitmap_header_size = format_hints.Hex(summary_header.HeaderSize)
             bitmap_size = format_hints.Hex(summary_header.BitmapSize)

diff --git a/volatility3/framework/plugins/windows/memmap.py b/volatility3/framework/plugins/windows/memmap.py
@@ -57,6 +57,23 @@ def _generator(self, procs):
                 )
                 continue
 
+            # Kernel bitmap dumps (DumpType=6) may or may not include user-space
+            # physical pages depending on how the dump was created.  When user pages
+            # are absent, page tables are still present as kernel data so VA→PA
+            # translation succeeds, but every physical frame lookup fails — iterating
+            # O(mapped user pages) times at 4 KB/step is extremely slow.  Probe the
+            # PEB (a guaranteed user-space VA) to decide cheaply: if its physical
+            # backing is absent, the dump has no user pages and we can skip the walk.
+            phys_layer = self.context.layers.get(proc_layer._base_layer)
+            if getattr(phys_layer, "dump_type", None) == 6:
+                peb_va = int(proc.Peb)
+                if peb_va and not proc_layer.is_valid(peb_va):
+                    vollog.debug(
+                        f"Process {pid}: skipping memmap walk on kernel bitmap dump"
+                        f" (DumpType=6, user pages absent)"
+                    )
+                    continue
+
             if self.config["dump"]:
                 file_handle = self.open(f"pid.{pid}.dmp")
             else:

diff --git a/volatility3/framework/plugins/windows/mftscan.py b/volatility3/framework/plugins/windows/mftscan.py
@@ -126,6 +126,8 @@ def parse_standard_information_records(
             mft_flag = mft_record.Flags.lookup()
         except ValueError:
             mft_flag = hex(mft_record.Flags)
+        except exceptions.InvalidAddressException:
+            return
 
         # Standard Information Attribute
         try:
@@ -162,6 +164,8 @@ def parse_filename_records(
             mft_flag = mft_record.Flags.lookup()
         except ValueError:
             mft_flag = hex(mft_record.Flags)
+        except exceptions.InvalidAddressException:
+            return
 
         # File Name Attribute
         try: