[Vol-users] Analyzing a hiberfil.sys

Matthieu Suiche msuiche at gmail.com
Thu Jul 2 09:37:17 CDT 2009


Dear Michael,

The thing is X-Ways-Forensics ripped a bugged version of SandMan for
their software. So you cannot really assume this output file generated
is good if you used X-Ways-Forensics.
See Andreas Post http://computer.forensikblog.de/en/2008/04/the_3_vendors.html

You can still try to use hibrshell:
http://msuiche.net/hibrshell/

Rick from ForensicsZone created a blogpost for the configuration
http://forensiczone.blogspot.com/2009/04/sandman-shell-batch-files-to-define.html

Kind Regards,
--
Matthieu Suiche



On Thu, Jul 2, 2009 at 4:15 PM, Michael Felber , Steufa Chemnitz,
IT-Forensik<MichaelFelber at gmx.net> wrote:
> Hello folks,
>
>
>
> I am new to volatility but used it successfully several times. Thank to all
> contributors.
>
>
>
> Today I wanted to analyze some hibernation files with it but had no success:
>
>
>
> python volatility hibinfo -f "G:\X-Ways-Images\##bad
> guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack.sys" -d "g:\X-Ways-Images\##bad
> guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack-decom-vola.sys"
>
> C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31:
> DeprecationWarning: the sha module is deprecated; use the hashlib module
> instead import sha
>
> Signature:
>
> SystemTime: Thu Jan 01 00:00:00 1970
>
>
>
> Control registers flags
>
> CR0: 80010031
>
> CR0[PAGING]: 1
>
> CR3: 0a338080
>
> CR4: 000006f9
>
> CR4[PSE]: 1
>
> CR4[PAE]: 1
>
> Traceback (most recent call last):
>
>   File "volatility", line 219, in <module>
>
>     main()
>
>   File "volatility", line 212, in main
>
>     modules[argv[1]].execute(argv[1], argv[2:])
>
>   File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute
>
>     self.cmd_execute(module, args)
>
>   File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo
>
>     (major,minor,build) =  hiberAS.get_version()
>
>   File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py",
> line 452, in get_version
>
>     addr_space = IA32PagedMemoryPae(self,self.CR3)
>
> NameError: global name 'IA32PagedMemoryPae' is not defined
>
>
>
> The OS to be analyzed is WinXP SP 2. I used X-Ways-Forensics to cut the
> slack of the hiberfil.sys off. XWF did successfully decompress the so cutted
> file and interpret it as a virtual RAM-filesystem.
>
>
>
> I had more than one hiberfil to look at but non did work with volatility
> hibinfo.
>
>
>
> Has anyone made experiences with that?
>
>
>
> Any help appreciated.
>
>
>
> Regards
>
>
>
> Michael Felber
>
> Special agent
>
> Germany
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>


More information about the Vol-users mailing list