Re: [Vol-users] Analyzing a hiberfil.sys

Hello folks, I am new to volatility but used it successfully several times. Thank to all contributors. Today I wanted to analyze some hibernation files with it but had no success: python volatility hibinfo -f "G:\X-Ways-Images\##bad guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack.sys" -d "g:\X-Ways-Images\##bad guy##\RAM-Analyse\hiberfil-NB-###-ohne-Slack-decom-vola.sys" C:\Micha\Forensics\Volatility\forensics\win32\crashdump.py:31: DeprecationWarning: the sha module is deprecated; use the hashlib module instead import sha Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0a338080 CR4: 000006f9 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last):   File "volatility", line 219, in <module>     main()   File "volatility", line 212, in main     modules[argv[1]].execute(argv[1], argv[2:])   File "C:\Micha\Forensics\Volatility\vmodules.py", line 62, in execute     self.cmd_execute(module, args)   File "C:\Micha\Forensics\Volatility\vmodules.py", line 1677, in hibinfo     (major,minor,build) =  hiberAS.get_version()   File "C:\Micha\Forensics\Volatility\forensics\win32\hiber_addrspace.py", line 452, in get_version     addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined The OS to be analyzed is WinXP SP 2. I used X-Ways-Forensics to cut the slack of the hiberfil.sys off. XWF did successfully decompress the so cutted file and interpret it as a virtual RAM-filesystem. I had more than one hiberfil to look at but non did work with volatility hibinfo. Has anyone made experiences with that? Any help appreciated. Regards Michael Felber Special agent Germany _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users