Vol-users October 2009

vol-users@lists.volatilityfoundation.org

9 participants
5 discussions

by Matthew Donovan

On this mailing list there was some discussion about hibernation files with the first page (0x1000 bytes) zeroed out. The SVN version of hibinfo converts one of these "inactive" hibernation files into a raw dd-type image. But that seems to be all the support it currently has. As an experiment, we changed is_hiberfil() to always return True and ran the Volatility commands on an inactive hibernation file. They all appear to run successfully. So this leads to a few questions: 1) Was that just a fluke of the file we used that the Volatility commands worked? 2) Are there any plans to identify/support hibernation files with the first page zeroed out? 3) Can we assume that a file with the first 0x1000 bytes zeroed out is a hibernation file? 4) If the answer to (2) is 'no' and the answer to (3) is 'yes', where can we submit a patch? Thanks -matthew

15 years

OMFW 2010!

by AAron Walters

After the amazing success of OMFW 2008 and a little hiatus in 2009, we are currently in the process of planning OMFW 2010. If you are interested in getting involved or have an exciting topic you would like to present, please let the team know. For those who want to attend, please be sure to stay tuned for registration details. Due to the overwhelming response in 2008, we were not able to fulfill all the registration requests, so please be sure to register early! There will be a number of surprises and I guarantee it will be an event you won't want to miss! Links from OMFW 2008: https://www.volatilityfoundation.org/default/omfw http://volatilesystems.blogspot.com/2008/08/open-memory-forensics-workshop-… http://isc.sans.org/diary.html?storyid=4895 http://taosecurity.blogspot.com/2008/08/thoughts-on-omfw-and-dfrws-2008.html AW

15 years, 1 month

hibinfo script

by Mark Morgan

I have a hiberfil.sys file from a windows xp sp3 machine and I am trying to convert it to dd using the hibinfo script in volatility. I keep getting an error half through the script as follows: $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ Morgan/My\ Doc uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\ Morgan/ My\ Documents/Hiberfil\ Test/hiber.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0afc0080 CR4: 000006f1 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined I am wondering if it is because this is a sp3 box??? Any help would be appreciated. Mark Morgan 702-942-2556

15 years, 1 month

Re: [Vol-users] hibinfo script

by Richard Gilleland

Mark, Let me know if you figure it out. I just tried the same command and received the following error; ====================================================================== C:\Python25>python \Volatility3\volatility hibinfo -f c:\hiberfil_test\hiberfil.sys -d c:\hibertest.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 00010000 CR0[PAGING]: 0 CR3: 7aed0001 CR4: 00010000 CR4[PSE]: 0 CR4[PAE]: 0 Traceback (most recent call last): File "\Volatility3\volatility", line 219, in <module> main() File "\Volatility3\volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "C:\Volatility3\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "C:\Volatility3\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "C:\Volatility3\forensics\win32\hiber_addrspace.py", line 467, in get_version ['_KGDTENTRY','BaseLow'], NtTibAddr) File "C:\Volatility3\forensics\object.py", line 206, in read_obj return read_value(addr_space, current_type, vaddr + offset) File "C:\Volatility3\forensics\object.py", line 71, in read_value buf = addr_space.read(vaddr, type_size) File "C:\Volatility3\forensics\x86.py", line 124, in read paddr = self.vtop(vaddr) File "C:\Volatility3\forensics\x86.py", line 109, in vtop if self.entry_present(pgd): File "C:\Volatility3\forensics\x86.py", line 72, in entry_present if (entry & (0x00000001)) == 0x00000001: TypeError: unsupported operand type(s) for &: 'NoneType' and 'int' ================================================================== Detective Ritch Gilleland, EnCE, CCI Sacramento Police Department Office: 916-808-0564 RGilleland(a)pd.cityofsacramento.org >>> Mark Morgan <mark.morgan47(a)gmail.com> 10/06/09 9:48 AM >>> I have a hiberfil.sys file from a windows xp sp3 machine and I am trying to convert it to dd using the hibinfo script in volatility. I keep getting an error half through the script as follows: $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ Morgan/My\ Doc uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\ Morgan/ My\ Documents/Hiberfil\ Test/hiber.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0afc0080 CR4: 000006f1 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined I am wondering if it is because this is a sp3 box??? Any help would be appreciated. Mark Morgan 702-942-2556

15 years, 1 month

Re: [Vol-users] hibinfo script

by Andreas Schuster

I'm sorry, that by far exceeds my knowledge about the hibernate stuff. I don't even have a suitable file for testing on stock. Could someone else please look into this? Thanks, Andreas Mark Morgan: > Andreas, > > Thanks for the quick reply. I changed the line as requested and here > is the error I get: > > $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ > Morgan/My\ Doc > uments/sandman/hiberfil.sys -d hiber.dd > Signature: > SystemTime: Thu Jan 01 00:00:00 1970 > > Control registers flags > CR0: 80010031 > CR0[PAGING]: 1 > CR3: 0afc0080 > CR4: 000006f1 > CR4[PSE]: 1 > CR4[PAE]: 1 > Traceback (most recent call last): > File "volatility", line 219, in <module> > main() > File "volatility", line 212, in main > modules[argv[1]].execute(argv[1], argv[2:]) > File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute > self.cmd_execute(module, args) > File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo > (major,minor,build) = hiberAS.get_version() > File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", > line 467, in > get_version > ['_KGDTENTRY','BaseLow'], NtTibAddr) > File "c:\Volatility-1.3_Beta\forensics\object.py", line 246, in > read_obj > return read_value(addr_space, current_type, vaddr + offset) > File "c:\Volatility-1.3_Beta\forensics\object.py", line 71, in > read_value > buf = addr_space.read(vaddr, type_size) > File "c:\Volatility-1.3_Beta\forensics\x86.py", line 313, in read > paddr = self.vtop(vaddr) > File "c:\Volatility-1.3_Beta\forensics\x86.py", line 294, in vtop > if not self.entry_present(pdpe): > File "c:\Volatility-1.3_Beta\forensics\x86.py", line 239, in > entry_present > if (entry & (0x00000001)) == 0x00000001: > TypeError: unsupported operand type(s) for &: 'NoneType' and 'int' > > And here is the portion of the hiber_addrspace.py that I changed: > > from forensics.addrspace import FileAddressSpace > import forensics.x86 > from forensics.object import * > from forensics.win32.xpress import xpress_decode > from thirdparty.progressbar import * > from forensics.win32.datetime import * > from vtypes import xpsp2types as types > from forensics.x86 import IA32PagedMemory,IA32PagedMemoryPae > > > Mark Morgan > > On Tue, Oct 6, 2009 at 11:06 AM, Andreas Schuster > <a.schuster(a)yendor.net> wrote: > Mark, > > Thank you for your bug report. > > > CR4[PAE]: 1 > > > File "c:\Volatility-1.3_Beta\forensics\win32 > \hiber_addrspace.py", > > line 452, in > > get_version > > addr_space = IA32PagedMemoryPae(self,self.CR3) > > NameError: global name 'IA32PagedMemoryPae' is not defined > > > I am wondering if it is because this is a sp3 box??? Any > help would > > be appreciated. > > > No, it happens because the system was in PAE mode (CR4[PAE]: > 1), but the > programmer forgot to import the PAE address space. > > Please edit forensics/win32/hiber_addrspace.py, line 43, to > become: > from forensics.x86 import IA32PagedMemory, IA32PagedMemoryPae > > Please let us know if this fixes the problem. > > Thanks! > Andreas > >

15 years, 1 month

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Vol-users October 2009