Members of the list,

I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system.  It is from a laptop, I'm pretty sure running Home Premium 32 bit.  

I use an XP system to run the standalone version of Volatility.  Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo'  I get:

'         Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys)
                      PAE type : PAE
                           DTB : 0x0L
             KUSER_SHARED_DATA : 0xffdf0000L'

Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo'  I get:

'Volatility Foundation Volatility Framework 2.3.1
PO_MEMORY_IMAGE:
Signature: HIBR
SystemTime: 1970-01-01 00:00:00 UTC+0000

Control registers flags
CR0: 00000000
CR0[PAGING]: 0
CR3: 00000000
CR4: 00000000
CR4[PSE]: 0
CR4[PAE]: 0

Windows Version is -.- (-)'

Other modules seem to hang, or produce no results.

I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it.

I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website.

I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake.

Thanks,
andybellman@outlook.com