Re: [Vol-dev] decompression of hyberfil.sys
10 Jul
2009
10 Jul
'09
12:24 a.m.
Michael,
Thanks for taking the time to perform the testing. Comments are inline.
The good news: Both result files are identical.
I figured this would probably be the result.
The bad news: I dont have any clue why the
decompression of my case
relevant hiberfil.sys did not properly work with volatility but did with
XWF.
I'm not really sure this is bad news. Getting rid of bugs is a good
thing. At the moment, I'm not entirely convinced the problem is with
Volatility.
Do you have any more details about the system whose runtime state is found
in your hiberfil? (OS, Version, etc)
I did compare the vol and the XWF-version of my case
files but I cant
interpret or explain the differences. What should I look for?
How did you compare the the converted samples? Personally I would hash
all the pages in the converted samples and enumerate which ones are
different. Once you have found the ones that differ I would look to see
how the differ. This could all be scripted very easily... Depending on
how this goes we may be able to send you the PPAS (Privacy Preserving
Address Space)
Thanks,
AW