Hi everybody, I've found that if you interrupt the hibernation file restore on Windows XP the header changes from "hibr" to "wake". Unfortunately such hibernation files cannot be processed by Volatility due to a simple check in vutils.py. The code attached patches vutils to allow parsing of these files. -- Jesse