10:01 a.m.
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
10:26 a.m.
Bonjour Jean-Francois,
Tu peux essayer Sandman Framework
http://www.msuiche.net/
Télécharge http://sandman.msuiche.net/release/SandMan-BHUSA2008-Demos.zip
Essaie d'exécuter hib2mem.exe (hibernation 2 Memory dump)
Bonne journée,
Sébastien
Sorry for english reader, French to english: http://babelfish.yahoo.com/ :-)
On Fri, Sep 12, 2008 at 10:01 AM, Jean-Francois Ragu <JFRAGU(a)fr.ibm.com>wrote:
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:08 a.m.
Jean-Francois,
Can you please clarify what you mean by a "dead system"? The real question
is whether the system was hibernating when it "died". Can you do me a
favor and open the file in a hex editor? Has the first page been zeroed
out? In that instance, it needs a little extra processing but it can
still be analyzed.
As for Sandman, I don't think the public black hat released supported
hiberfils that were not in use. Matthieu is a member of this list and
would be able to confirm that. If you use IRC and want to discuss it
more, you may also consider joining the #volatility channel where we all
hang out.
Thanks,
AW
On Fri, 12 Sep 2008, Jean-Francois Ragu wrote:
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
2:15 a.m.
Aaron,
You find it :) First 4096 bytes are zeroed out.
Apologize I didn't check that before posting this mail.
I tested your Great tool first with a Ram dump (built with mdd) and then
wanted to try it on an hiberfil.sys extracted from an Encase capture.
I will work a little bit more on this (to see how to access to the
valuable data after this zeroed area) before joining the IRC
Thanks :)
Cordiales salutations - Bests regards
Jean-François
From:
AAron Walters <awalters(a)4tphi.net>
To:
Jean-Francois Ragu/France/IBM@IBMFR
Cc:
vol-users(a)volatilityfoundation.org
Date:
12/09/2008 17:34
Subject:
Re: [Vol-users] hiberfil.sys
Jean-Francois,
Can you please clarify what you mean by a "dead system"? The real question
is whether the system was hibernating when it "died". Can you do me a
favor and open the file in a hex editor? Has the first page been zeroed
out? In that instance, it needs a little extra processing but it can
still be analyzed.
As for Sandman, I don't think the public black hat released supported
hiberfils that were not in use. Matthieu is a member of this list and
would be able to confirm that. If you use IRC and want to discuss it
more, you may also consider joining the #volatility channel where we all
hang out.
Thanks,
AW
On Fri, 12 Sep 2008, Jean-Francois Ragu wrote:
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable
to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430
12:37 p.m.
Jean-Francois,
Apologize I didn't check that before posting this
mail.
No worries. I'm sure others will have the same question. Please, feel
free to post any question! We enjoy helping people get involved.
I will work a little bit more on this (to see how to
access to the
valuable data after this zeroed area) before joining the IRC
It actually shouldn't require too much work. The header basically
provides meta-data that makes processing a little faster. It also
provides magic which can be useful for determining what transformations
need to be performed. All the information you need for analyzing the
memory sample can be determined without the meta information in the
header. If you have trouble, send me an email.
Thanks,
AW
1:26 p.m.
On a 32-bits windows hibernation file, we can retrieve the
page/structure (MEMORY_RANGE_ARRAY) that contains the list of all
physical page mapped like this:
1) Retrieve the first compressed block, starting by XPRESS_MAGIC
"\x81\x81xpress". We note X the page number of the first xpress block.
2) Now we can retrieve MEMORY_RANGE_ARRAY offset like this: (X - 1) * PAGE_SIZE
Here is a sample of code aiming at retrieving MEMORY_RANGE_ARRAY after
having the first page wiped:
for (FirstPageTable = 0; FirstPageTable < 10; FirstPageTable++)
{
if (memcmp(s->Map + (FirstPageTable * PAGE_SIZE),
XPRESS_MAGIC, 8) == 0) break;
}
//
// Note: We only scan the 10 first pages. It's enough for
32bits hibernation file.
//
if (FirstPageTable == 10) return s;
s->MemArray = (PMEMORY_RANGE_ARRAY) (s->Map + (FirstPageTable
- 1) * PAGE_SIZE);
Cheers,
On Mon, Sep 15, 2008 at 6:37 PM, AAron Walters <awalters(a)4tphi.net> wrote:
Jean-Francois,
--
Matthieu Suiche
Apologize I didn't check that before posting
this mail.
No worries. I'm sure others will have the same question. Please, feel free
to post any question! We enjoy helping people get involved.
I will work a little bit more on this (to see how
to access to the
valuable data after this zeroed area) before joining the IRC
It actually shouldn't require too much work. The header basically provides
meta-data that makes processing a little faster. It also provides magic
which can be useful for determining what transformations need to be
performed. All the information you need for analyzing the memory sample can
be determined without the meta information in the header. If you have
trouble, send me an email.
Thanks,
AW
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
6259
days inactive
6262
days old
vol-users@lists.volatilityfoundation.org
5 comments
4 participants
participants (4)
-
AAron Walters -
Jean-Francois Ragu -
Matthieu Suiche -
Sebastien Bourdon-Richard