[Vol-users] Analyzing a hiberfil.sys

Michael Felber , Steufa Chemnitz, IT-Forensik MichaelFelber at gmx.net
Thu Jul 2 09:15:07 CDT 2009

Hello folks,


I am new to volatility but used it successfully several times. Thank to all


Today I wanted to analyze some hibernation files with it but had no success:


python volatility hibinfo -f "G:\X-Ways-Images\##bad
guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack.sys" -d "g:\X-Ways-Images\##bad

DeprecationWarning: the sha module is deprecated; use the hashlib module
instead import sha


SystemTime: Thu Jan 01 00:00:00 1970


Control registers flags

CR0: 80010031


CR3: 0a338080

CR4: 000006f9

CR4[PSE]: 1

CR4[PAE]: 1

Traceback (most recent call last):

  File "volatility", line 219, in <module>


  File "volatility", line 212, in main

    modules[argv[1]].execute(argv[1], argv[2:])

  File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute

    self.cmd_execute(module, args)

  File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo

    (major,minor,build) =  hiberAS.get_version()

  File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py",
line 452, in get_version

    addr_space = IA32PagedMemoryPae(self,self.CR3)

NameError: global name 'IA32PagedMemoryPae' is not defined


The OS to be analyzed is WinXP SP 2. I used X-Ways-Forensics to cut the
slack of the hiberfil.sys off. XWF did successfully decompress the so cutted
file and interpret it as a virtual RAM-filesystem.


I had more than one hiberfil to look at but non did work with volatility


Has anyone made experiences with that?


Any help appreciated.




Michael Felber

Special agent


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20090702/deeff345/attachment.html

More information about the Vol-users mailing list