[Vol-users] Problem converting hiberfil.sys

Christian Herndler christian at herndler.com
Sat Nov 20 03:49:17 CST 2010


Sorry for the delay, I've been out of office for two days ...


@aaron

I've checked out SVN Revision 527, I think that's the latest version.

@matthieu

Thank's for your kind offer. I've attached the first 16 pages of two
different hibernation files (off list).

hiberfil_16_pages_first_empty.dd is from WindowsXP SP0 German. That file
doen't look to me like a valid hibernation file - is it possible that
the machine it comes from has been configured for hibernation but
hibernation mode never has been used ? Is it right that in such a case
windows will just reserve the space necessary for the hibernation file
but will not do any initialization so that file will probably contain
random data from files which previously occupied that disk space ?

hiberfil_16_pages_active.dd is from Windows Vista Business SP1 32Bit, it
looks like an active hibernation file but gives the same error when I
tried converting it ("Failed. Cannot open file. Please check if the file
is not being used")

So both files gives the same error, I tried it on Windows7 and on a
Windows XP box too to make sure that it isn't related to an eventual
UAC/Win7/64Bit problem.

Thank you

Christian

On 11/18/2010 05:53 PM, AAron Walters wrote:
> 
> 
> Hey Christian!
> 
> What verion of Volatility are you using?  I'm not sure they are related
> to your issue but there were some bugfixes for issues related to
> inactive hibernation files (ie first page zero'd).
> 
> The first page being empty means that the information normally found in
> the hibernation header needs to be carved from the sample.  It normally
> just requires an extra couple of steps.
> 
> Thanks,
> 
> AW
> 
> On Wed, 17 Nov 2010, Christian Herndler wrote:
> 
>> Thanks for your suggestion. I did try hibr2bin.exe, that didn't work
>> either (error was: "Failed. Cannot open file. Please check if the file
>> is not being used")
>>
>> The first page (4096 Byte) of the file is empty - but as far as I know
>> that shouldn't be a problem.
>>
>> Christian
>>
>>
>> On 11/17/2010 02:40 PM, Johnathan Bridbord wrote:
>>> Christian-
>>>
>>> Perhaps try the following syntax:
>>>
>>> #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
>>>
>>> I recommend Matt's standalone windows executable hibr2bin from moonsol.
>>>
>>> Thanks,
>>> JB
>>> Sent via BlackBerry by AT&T
>>>
>>> -----Original Message-----
>>> From: Christian Herndler <christian at herndler.com>
>>> Sender: vol-users-bounces at volatilityfoundation.org
>>> Date: Wed, 17 Nov 2010 08:55:24
>>> To: <vol-users at volatilityfoundation.org>
>>> Subject: [Vol-users] Problem converting hiberfil.sys
>>>
>>> Hello,
>>>
>>> I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
>>> following error:
>>>
>>> .
>>> /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
>>> Traceback (most recent call last):
>>>   File "./volatility", line 219, in <module>
>>>     main()
>>>   File "./volatility", line 212, in main
>>>     modules[argv[1]].execute(argv[1], argv[2:])
>>>   File "/opt/Volatility/vmodules.py", line 62, in execute
>>>     self.cmd_execute(module, args)
>>>   File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
>>>     hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
>>>   File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
>>> in __init__
>>>     for i in range(0,EntryCount):
>>> OverflowError: range() result has too many items
>>>
>>> any ideas ?
>>>
>>> Christian
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>


More information about the Vol-users mailing list