[Vol-users] Problem converting hiberfil.sys

AAron Walters awalters at 4tphi.net
Thu Nov 18 10:53:04 CST 2010



Hey Christian!

What verion of Volatility are you using?  I'm not sure they are related to 
your issue but there were some bugfixes for issues related to inactive 
hibernation files (ie first page zero'd).

The first page being empty means that the information normally found in 
the hibernation header needs to be carved from the sample.  It normally 
just requires an extra couple of steps.

Thanks,

AW

On Wed, 17 Nov 2010, Christian Herndler wrote:

> Thanks for your suggestion. I did try hibr2bin.exe, that didn't work
> either (error was: "Failed. Cannot open file. Please check if the file
> is not being used")
>
> The first page (4096 Byte) of the file is empty - but as far as I know
> that shouldn't be a problem.
>
> Christian
>
>
> On 11/17/2010 02:40 PM, Johnathan Bridbord wrote:
>> Christian-
>>
>> Perhaps try the following syntax:
>>
>> #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
>>
>> I recommend Matt's standalone windows executable hibr2bin from moonsol.
>>
>> Thanks,
>> JB
>> Sent via BlackBerry by AT&T
>>
>> -----Original Message-----
>> From: Christian Herndler <christian at herndler.com>
>> Sender: vol-users-bounces at volatilityfoundation.org
>> Date: Wed, 17 Nov 2010 08:55:24
>> To: <vol-users at volatilityfoundation.org>
>> Subject: [Vol-users] Problem converting hiberfil.sys
>>
>> Hello,
>>
>> I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
>> following error:
>>
>> .
>> /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
>> Traceback (most recent call last):
>>   File "./volatility", line 219, in <module>
>>     main()
>>   File "./volatility", line 212, in main
>>     modules[argv[1]].execute(argv[1], argv[2:])
>>   File "/opt/Volatility/vmodules.py", line 62, in execute
>>     self.cmd_execute(module, args)
>>   File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
>>     hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
>>   File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
>> in __init__
>>     for i in range(0,EntryCount):
>> OverflowError: range() result has too many items
>>
>> any ideas ?
>>
>> Christian
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list