On Tue, Oct 6, 2009 at 6:46 PM, Mark Morgan <
mark.morgan47@gmail.com> wrote:
> I have a hiberfil.sys file from a windows xp sp3 machine and I am trying to
> convert it to dd using the hibinfo script in volatility. I keep getting an
> error half through the script as follows:
>
> $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ Morgan/My\
> Doc
> uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\
> Morgan/
> My\ Documents/Hiberfil\ Test/hiber.dd
> Signature:
> SystemTime: Thu Jan 01 00:00:00 1970
>
> Control registers flags
> CR0: 80010031
> CR0[PAGING]: 1
> CR3: 0afc0080
> CR4: 000006f1
> CR4[PSE]: 1
> CR4[PAE]: 1
> Traceback (most recent call last):
> File "volatility", line 219, in <module>
> main()
> File "volatility", line 212, in main
> modules[argv[1]].execute(argv[1], argv[2:])
> File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute
> self.cmd_execute(module, args)
> File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo
> (major,minor,build) = hiberAS.get_version()
> File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line
> 452, in
> get_version
> addr_space = IA32PagedMemoryPae(self,self.CR3)
> NameError: global name 'IA32PagedMemoryPae' is not defined
>
>
> I am wondering if it is because this is a sp3 box??? Any help would be
> appreciated.
>
>
> Mark Morgan
> 702-942-2556
>