[Vol-users] AW: AW: Analyzing a Hiberfil.sys

Hello Brendan, hello all thanks a lot for the carefree-all-around zip package. It works fine. The hiberfil.sys gets decompressed now. Thanks a lot to all other for their useful hints. I have processed a "shortened" version of the original file without the hiberfil-slack. Now both programs (vol and WinHex) did decompress the file BUT: The files have the same length but different md-5-sums because of 'some' binary differences. At the moment I don't know, which version is the 'right'. Both mapped with X-Ways Forensics generated the following results: WinHex-version: totally 1.465 objects, Volatility-version: 1.363 objects I have compared the results and found, that some minor objects in the xwf-version are duped but some objects are not found in the vol-version. I have attached a list of the "missed" objects, quick and dirty, simply sorted by name. Maybe someone has a clue what may have caused this difference. Currently I try to find a way to compare extracted objects by vol and XWF. BR Michael @Andreas: Thanks for the offer to call you, will do that but need your "Telefonnummer"... -----Ursprüngliche Nachricht----- Von: Dolan-gavitt, Brendan F [mailto:brendandg@gatech.edu] Gesendet: Donnerstag, 2. Juli 2009 20:20 An: AAron Walters Cc: Michael Felber , Steufa Chemnitz, IT-Forensik Betreff: Re: AW: Analyzing a Hiberfil.sys I did indeed--you can get it here: http://amnesia.gtisc.gatech.edu/~moyix/Volatility-SVN.zip -Brendan ----- Original Message ----- From: "AAron Walters" <awalters(a)4tphi.net> To: "Michael Felber , Steufa Chemnitz, IT-Forensik" <MichaelFelber(a)gmx.net> Cc: brendandg(a)gatech.edu Sent: Thursday, July 2, 2009 11:13:55 AM GMT -05:00 US/Canada Eastern Subject: Re: AW: Analyzing a Hiberfil.sys Michael, You will need to check out the entire repository. At one point, Brendan created a zip file. Thanks, AW On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote: