[Vol-users] Problem converting hiberfil.sys

Matthieu Suiche msuiche at gmail.com
Sat Nov 20 04:06:06 CST 2010


Dear,

Regarding hiberfil_16_pages_first_empty.dd it seems this version of the
hibernation file is not using the xpress format. The fact that the first
page is empty is not a problem.

It seems it use the old NT 5.0 hibernation format (LZNT1) which is not
supported either by volatility or hibr2bin/hibr2dmp. Main reasons I never
took a look at it is because of the lack of time for free research. To
recognize an old format is the the methodology :
# Always look for \x81\x81xpress at the beginning of each first 16 pages.

The Windows Vista problem is weird because I don't see anything abnormal.
Are you using hibr2dmp or hibr2bin ?

Regards,
--
Matthieu Suiche


On Sat, Nov 20, 2010 at 10:49 AM, Christian Herndler <christian at herndler.com
> wrote:

> Sorry for the delay, I've been out of office for two days ...
>
>
> @aaron
>
> I've checked out SVN Revision 527, I think that's the latest version.
>
> @matthieu
>
> Thank's for your kind offer. I've attached the first 16 pages of two
> different hibernation files (off list).
>
> hiberfil_16_pages_first_empty.dd is from WindowsXP SP0 German. That file
> doen't look to me like a valid hibernation file - is it possible that
> the machine it comes from has been configured for hibernation but
> hibernation mode never has been used ? Is it right that in such a case
> windows will just reserve the space necessary for the hibernation file
> but will not do any initialization so that file will probably contain
> random data from files which previously occupied that disk space ?
>
> hiberfil_16_pages_active.dd is from Windows Vista Business SP1 32Bit, it
> looks like an active hibernation file but gives the same error when I
> tried converting it ("Failed. Cannot open file. Please check if the file
> is not being used")
>
> So both files gives the same error, I tried it on Windows7 and on a
> Windows XP box too to make sure that it isn't related to an eventual
> UAC/Win7/64Bit problem.
>
> Thank you
>
> Christian
>
> On 11/18/2010 05:53 PM, AAron Walters wrote:
> >
> >
> > Hey Christian!
> >
> > What verion of Volatility are you using?  I'm not sure they are related
> > to your issue but there were some bugfixes for issues related to
> > inactive hibernation files (ie first page zero'd).
> >
> > The first page being empty means that the information normally found in
> > the hibernation header needs to be carved from the sample.  It normally
> > just requires an extra couple of steps.
> >
> > Thanks,
> >
> > AW
> >
> > On Wed, 17 Nov 2010, Christian Herndler wrote:
> >
> >> Thanks for your suggestion. I did try hibr2bin.exe, that didn't work
> >> either (error was: "Failed. Cannot open file. Please check if the file
> >> is not being used")
> >>
> >> The first page (4096 Byte) of the file is empty - but as far as I know
> >> that shouldn't be a problem.
> >>
> >> Christian
> >>
> >>
> >> On 11/17/2010 02:40 PM, Johnathan Bridbord wrote:
> >>> Christian-
> >>>
> >>> Perhaps try the following syntax:
> >>>
> >>> #python volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
> >>>
> >>> I recommend Matt's standalone windows executable hibr2bin from moonsol.
> >>>
> >>> Thanks,
> >>> JB
> >>> Sent via BlackBerry by AT&T
> >>>
> >>> -----Original Message-----
> >>> From: Christian Herndler <christian at herndler.com>
> >>> Sender: vol-users-bounces at volatilityfoundation.org
> >>> Date: Wed, 17 Nov 2010 08:55:24
> >>> To: <vol-users at volatilityfoundation.org>
> >>> Subject: [Vol-users] Problem converting hiberfil.sys
> >>>
> >>> Hello,
> >>>
> >>> I tried to convert a hiberfil.sys from WindowsXP SP0 German and get the
> >>> following error:
> >>>
> >>> .
> >>> /volatility hibinfo -f /tmp/hiberfil.sys -d /tmp/hiberfil.dd
> >>> Traceback (most recent call last):
> >>>   File "./volatility", line 219, in <module>
> >>>     main()
> >>>   File "./volatility", line 212, in main
> >>>     modules[argv[1]].execute(argv[1], argv[2:])
> >>>   File "/opt/Volatility/vmodules.py", line 62, in execute
> >>>     self.cmd_execute(module, args)
> >>>   File "/opt/Volatility/vmodules.py", line 1616, in hibinfo
> >>>     hiberAS = WindowsHiberFileSpace32(fileAS,0,0)
> >>>   File "/opt/Volatility/forensics/win32/hiber_addrspace.py", line 146,
> >>> in __init__
> >>>     for i in range(0,EntryCount):
> >>> OverflowError: range() result has too many items
> >>>
> >>> any ideas ?
> >>>
> >>> Christian
> >>> _______________________________________________
> >>> Vol-users mailing list
> >>> Vol-users at volatilityfoundation.org
> >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> _______________________________________________
> >> Vol-users mailing list
> >> Vol-users at volatilityfoundation.org
> >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20101120/5da355d6/attachment.html


More information about the Vol-users mailing list