[Vol-users] decompression of hyberfil.sys

Michael Felber , Steufa Chemnitz, IT-Forensik MichaelFelber at gmx.net
Thu Jul 9 01:55:06 CDT 2009

Hello all,


I have posted this twice because the decompression issue should be moved to
vol-dev as Aaron suggested.


yesterday Andreas did provide a hiberfil.sys for decompression testing.
Thanks a lot again.

I have processed it twice with X-Ways-Forensics 15.3 SR3 and Volatility

The good news: Both result files are identical.

The bad news: I don’t have any clue why the decompression of my case
relevant hiberfil.sys did not properly work with volatility but did with


If anyone other needs a hiberfil.sys decompressed with XWF for testing, do
not hesitate to ask me. We have the most recent releases here. (I am back on
the 29th of July)


I did compare the vol and the XWF-version of my case files but I can’t
interpret or explain the differences. What should I look for?






Michael Felber, StA

Finanzamt Chemnitz-Süd



Paul-Bertz-Str. 1

D-09120 Chemnitz



Fon:      +49 371 279 446

Fax.      +49 371 279 421


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20090709/ba4b5997/attachment.html

More information about the Vol-users mailing list