[Vol-users] AW: AW: Analyzing a Hiberfil.sys

Michael Felber , Steufa Chemnitz, IT-Forensik MichaelFelber at gmx.net
Fri Jul 3 05:07:42 CDT 2009


Hello Brendan, hello all

thanks a lot for the carefree-all-around zip package. It works fine. The hiberfil.sys gets decompressed now.

Thanks a lot to all other for their useful hints.

I have processed a "shortened" version of the original file without the hiberfil-slack.

Now both programs (vol and WinHex) did decompress the file BUT:

The files have the same length but different md-5-sums because of 'some' binary differences.

At the moment I don't know, which version is the 'right'.

Both mapped with X-Ways Forensics generated the following results:

WinHex-version: totally 1.465 objects, Volatility-version: 1.363 objects

I have compared the results and found, that some minor objects in the xwf-version are duped but some objects are not found in the vol-version.

I have attached a list of the "missed" objects, quick and dirty, simply sorted by name.

Maybe someone has a clue what may have caused this difference.

Currently I try to find a way to compare extracted objects by vol and XWF.

BR

Michael

@Andreas: Thanks for the offer to call you, will do that but need your "Telefonnummer"...

-----Ursprüngliche Nachricht-----
Von: Dolan-gavitt, Brendan F [mailto:brendandg at gatech.edu] 
Gesendet: Donnerstag, 2. Juli 2009 20:20
An: AAron Walters
Cc: Michael Felber , Steufa Chemnitz, IT-Forensik
Betreff: Re: AW: Analyzing a Hiberfil.sys

I did indeed--you can get it here:

http://amnesia.gtisc.gatech.edu/~moyix/Volatility-SVN.zip

-Brendan

----- Original Message -----
From: "AAron Walters" <awalters at 4tphi.net>
To: "Michael Felber , Steufa Chemnitz, IT-Forensik" <MichaelFelber at gmx.net>
Cc: brendandg at gatech.edu
Sent: Thursday, July 2, 2009 11:13:55 AM GMT -05:00 US/Canada Eastern
Subject: Re: AW: Analyzing a Hiberfil.sys



Michael,

You will need to check out the entire repository. At one point, Brendan 
created a zip file.

Thanks,

AW

On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote:

> Hello Aaron,
>
> have downloaded most of the new  files but got volatility crashed with that.
> I assume I have to download ALL the new released files manually an copy them
> to their destination? Or is there a new complete package available?
>
> Cu
>
> Michael
>
> -----Ursprüngliche Nachricht-----
> Von: AAron Walters [mailto:awalters at 4tphi.net]
> Gesendet: Donnerstag, 2. Juli 2009 16:22
> An: Michael Felber , Steufa Chemnitz, IT-Forensik
> Cc: brendandg at gatech.edu
> Betreff: Re: Analyzing a Hiberfil.sys
>
>
>
> Michael,
>
> Thanks for the email.  I'm glad you have found Volatility useful.  You may
> want to check out the latest version from the svn repository which
> includes a number of bug fixes.  Let me know if it generates the same
> errors.
>
> http://code.google.com/p/volatility/source/checkout
>
> Thanks,
>
> AW
>
>
> On Thu, 2 Jul 2009, Michael Felber , Steufa Chemnitz, IT-Forensik wrote:
>
>> Hello,
>>
>>
>>
>> I am new to volatility but I am very impressed by the capabilities of that
>> tool collection. I have already used it in a couple of cases and found
>> interesting clues for further investigation more than one time. Thanks a
>> lot, great tool.
>>
>>
>>
>> I used v 1.3 Beta with Python 2.6.2.  to analyze a hiberfil.sys. The try
> to
>> decompress it produced the following error message:
>>
>>
>>
>> C:\Micha\Forensics\Volatility>python volatility hibinfo -f
>> "F:\X-Ways-Images\##bad guy##\RAM-Analyse\NB Asus, Partition
>> 2\hiberfil-NB-ASUS.sys" –d "hiberfil-NB-ASUS-vol.sys"
>>
>> C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31:
>> DeprecationWarning: the sha module is deprecated; use the hashlib module
>> instead
>>
>>  import sha
>>
>> Signature:
>>
>> SystemTime: Thu Jan 01 00:00:00 1970
>>
>>
>>
>> Control registers flags
>>
>> CR0: 000212dd
>>
>> CR0[PAGING]: 0
>>
>> CR3: 0001d69f
>>
>> CR4: 00020160
>>
>> CR4[PSE]: 0
>>
>> CR4[PAE]: 1
>>
>> Traceback (most recent call last):
>>
>>  File "volatility", line 219, in <module>
>>
>>    main()
>>
>>  File "volatility", line 212, in main
>>
>>    modules[argv[1]].execute(argv[1], argv[2:])
>>
>>  File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute
>>
>>    self.cmd_execute(module, args)
>>
>>  File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo
>>
>>    (major,minor,build) =  hiberAS.get_version()
>>
>>  File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py",
>> line 452, in get_version
>>
>>    addr_space = IA32PagedMemoryPae(self,self.CR3)
>>
>> NameError: global name 'IA32PagedMemoryPae' is not defined
>>
>>
>>
>> Options –q, -t pae|nopae did not help.
>>
>>
>>
>> What went wrong?
>>
>>
>>
>> Kindest regards
>>
>>
>>
>> Michael Felber
>>
>> Agent in charge
>>
>>
>>
>> Michael Felber, StA
>>
>> Finanzamt Chemnitz-Süd
>>
>> Steuerfahndung
>>
>> IT-Forensik
>>
>> Paul-Bertz-Str. 1
>>
>> D-09120 Chemnitz
>>
>> Germany
>>
>>
>>
>> Fon:      +49 371 279 446
>>
>> Fax.      +49 371 279 421
>>
>>
>>
>>
>:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: missed _objects.zip
Type: application/octet-stream
Size: 2056 bytes
Desc: not available
Url : https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20090703/0e06c893/missed_objects.obj


More information about the Vol-users mailing list