[Vol-users] Analyzing a hiberfil.sys

Michael Felber , Steufa Chemnitz, IT-Forensik MichaelFelber at gmx.net
Thu Jul 2 09:15:07 CDT 2009


Hello folks,

 

I am new to volatility but used it successfully several times. Thank to all
contributors.

 

Today I wanted to analyze some hibernation files with it but had no success:

 

python volatility hibinfo -f "G:\X-Ways-Images\##bad
guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack.sys" -d "g:\X-Ways-Images\##bad
guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack-decom-vola.sys"

C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31:
DeprecationWarning: the sha module is deprecated; use the hashlib module
instead import sha

Signature:

SystemTime: Thu Jan 01 00:00:00 1970

 

Control registers flags

CR0: 80010031

CR0[PAGING]: 1

CR3: 0a338080

CR4: 000006f9

CR4[PSE]: 1

CR4[PAE]: 1

Traceback (most recent call last):

  File "volatility", line 219, in <module>

    main()

  File "volatility", line 212, in main

    modules[argv[1]].execute(argv[1], argv[2:])

  File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute

    self.cmd_execute(module, args)

  File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo

    (major,minor,build) =  hiberAS.get_version()

  File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py",
line 452, in get_version

    addr_space = IA32PagedMemoryPae(self,self.CR3)

NameError: global name 'IA32PagedMemoryPae' is not defined

 

The OS to be analyzed is WinXP SP 2. I used X-Ways-Forensics to cut the
slack of the hiberfil.sys off. XWF did successfully decompress the so cutted
file and interpret it as a virtual RAM-filesystem.

 

I had more than one hiberfil to look at but non did work with volatility
hibinfo.

 

Has anyone made experiences with that?

 

Any help appreciated.

 

Regards

 

Michael Felber

Special agent

Germany 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20090702/deeff345/attachment.html


More information about the Vol-users mailing list