Re: [Vol-users] hibinfo script
6 Oct
2009
6 Oct
'09
4:46 p.m.
Yes it appears it is.
mark
On Tue, Oct 6, 2009 at 1:36 PM, Matthieu Suiche <msuiche(a)gmail.com> wrote:
Is the first page of your hibernation file empty?
--
Matthieu Suiche
On Tue, Oct 6, 2009 at 6:46 PM, Mark Morgan <mark.morgan47(a)gmail.com>
wrote:
I have a hiberfil.sys file from a windows xp sp3
machine and I am trying
to
convert it to dd using the hibinfo script in
volatility. I keep getting
an
error half through the script as follows:
$ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\
Morgan/My\
Doc
uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\
Morgan/
My\ Documents/Hiberfil\ Test/hiber.dd
Signature:
SystemTime: Thu Jan 01 00:00:00 1970
Control registers flags
CR0: 80010031
CR0[PAGING]: 1
CR3: 0afc0080
CR4: 000006f1
CR4[PSE]: 1
CR4[PAE]: 1
Traceback (most recent call last):
File "volatility", line 219, in <module>
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute
self.cmd_execute(module, args)
File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo
(major,minor,build) = hiberAS.get_version()
File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line
452, in
get_version
addr_space = IA32PagedMemoryPae(self,self.CR3)
NameError: global name 'IA32PagedMemoryPae' is not defined
I am wondering if it is because this is a sp3 box??? Any help would be
appreciated.
Mark Morgan
702-942-2556
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 2.7 KB)