[Vol-users] Problem converting hiberfil.sys
msuiche at gmail.com
Sat Nov 20 04:06:06 CST 2010
Regarding hiberfil_16_pages_first_empty.dd it seems this version of the
hibernation file is not using the xpress format. The fact that the first
page is empty is not a problem.
It seems it use the old NT 5.0 hibernation format (LZNT1) which is not
supported either by volatility or hibr2bin/hibr2dmp. Main reasons I never
took a look at it is because of the lack of time for free research. To
recognize an old format is the the methodology :
# Always look for \x81\x81xpress at the beginning of each first 16 pages.
The Windows Vista problem is weird because I don't see anything abnormal.
Are you using hibr2dmp or hibr2bin ?
On Sat, Nov 20, 2010 at 10:49 AM, Christian Herndler <christian at herndler.com
> Sorry for the delay, I've been out of office for two days ...
> I've checked out SVN Revision 527, I think that's the latest version.
> Thank's for your kind offer. I've attached the first 16 pages of two
> different hibernation files (off list).
> hiberfil_16_pages_first_empty.dd is from WindowsXP SP0 German. That file
> doen't look to me like a valid hibernation file - is it possible that
> the machine it comes from has been configured for hibernation but
> hibernation mode never has been used ? Is it right that in such a case
> windows will just reserve the space necessary for the hibernation file
> but will not do any initialization so that file will probably contain
> random data from files which previously occupied that disk space ?
> hiberfil_16_pages_active.dd is from Windows Vista Business SP1 32Bit, it
> looks like an active hibernation file but gives the same error when I
> tried converting it ("Failed. Cannot open file. Please check if the file
> is not being used")
> So both files gives the same error, I tried it on Windows7 and on a
> Windows XP box too to make sure that it isn't related to an eventual
> UAC/Win7/64Bit problem.
> Thank you
> On 11/18/2010 05:53 PM, AAron Walters wrote:
> > Hey Christian!
> > What verion of Volatility are you using? I'm not sure they are related
> > to your issue but there were some bugfixes for issues related to
> > inactive hibernation files (ie first page zero'd).
> > The first page being empty means that the information normally found in
> > the hibernation header needs to be carved from the sample. It normally
> > just requires an extra couple of steps.
> > Thanks,
> > AW
> > On Wed, 17 Nov 2010, Christian Herndler wrote:
> >> Thanks for your suggestion. I did try hibr2bin.exe, that didn't work
> >> either (error was: "Failed. Cannot open file. Please check if the file
> >> is not being used")
> >> The first page (4096 Byte) of the file is empty - but as far as I know
> >> that shouldn't be a problem.
> >> Christian
> >> On 11/17/2010 02:40 PM, Johnathan Bridbord wrote:
> >>> Christian-
> >>> Perhaps try the following syntax:
> >>> #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
> >>> I recommend Matt's standalone windows executable hibr2bin from moonsol.
> >>> Thanks,
> >>> JB
> >>> Sent via BlackBerry by AT&T
> >>> -----Original Message-----
> >>> From: Christian Herndler <christian at herndler.com>
> >>> Sender: vol-users-bounces at volatilityfoundation.org
> >>> Date: Wed, 17 Nov 2010 08:55:24
> >>> To: <vol-users at volatilityfoundation.org>
> >>> Subject: [Vol-users] Problem converting hiberfil.sys
> >>> Hello,
> >>> I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
> >>> following error:
> >>> .
> >>> /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
> >>> Traceback (most recent call last):
> >>> File "./volatility", line 219, in <module>
> >>> main()
> >>> File "./volatility", line 212, in main
> >>> modules[argv].execute(argv, argv[2:])
> >>> File "/opt/Volatility/vmodules.py", line 62, in execute
> >>> self.cmd_execute(module, args)
> >>> File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
> >>> hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
> >>> File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
> >>> in __init__
> >>> for i in range(0,EntryCount):
> >>> OverflowError: range() result has too many items
> >>> any ideas ?
> >>> Christian
> >>> _______________________________________________
> >>> Vol-users mailing list
> >>> Vol-users at volatilityfoundation.org
> >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> _______________________________________________
> >> Vol-users mailing list
> >> Vol-users at volatilityfoundation.org
> >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users