>>> Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 10/6/2009 13:42 >>>
Quick rule of thumb: if the SystemTime shows up as 1970, it typically
means that the hibernation file was collected while the system was
not actually hibernating. In this case, the first 0x1000 bytes of the
file will be zeroed out, which (in the 1.3 Beta version of
Volatility) causes things to break.

My recommendation is to check out the current SVN version of
Volatility (which will be released as 1.3.1 soon!), which should be
able to convert such files to dd format. Or use Matthieu's Sandman
tools, which support hibernation files with the first page zeroed.

The SVN version can be obtained by running:
svn checkout http://volatility.googlecode.com/svn/trunk/Volatility

-Brendan

On Oct 6, 2009, at 1:32 PM, Richard Gilleland wrote:

> Mark,
>
> Let me know if you figure it out. I just tried the same command and
> received the following error;
>
> ======================================================================
> C:\Python25>python \Volatility3\volatility hibinfo -f c:
> \hiberfil_test\hiberfil.sys -d c:\hibertest.dd
> Signature:
> SystemTime: Thu Jan 01 00:00:00 1970
>
> Control registers flags
> CR0: 00010000
> CR0[PAGING]: 0
> CR3: 7aed0001
> CR4: 00010000
> CR4[PSE]: 0
> CR4[PAE]: 0
> Traceback (most recent call last):
> File "\Volatility3\volatility", line 219, in <module>
>    main()
> File "\Volatility3\volatility", line 212, in main
>    modules[argv[1]].execute(argv[1], argv[2:])
> File "C:\Volatility3\vmodules.py", line 62, in execute
>    self.cmd_execute(module, args)
> File "C:\Volatility3\vmodules.py", line 1677, in hibinfo
>    (major,minor,build) = hiberAS.get_version()
> File "C:\Volatility3\forensics\win32\hiber_addrspace.py", line
> 467, in get_version
>    ['_KGDTENTRY','BaseLow'], NtTibAddr)
> File "C:\Volatility3\forensics\object.py", line 206, in read_obj
>    return read_value(addr_space, current_type, vaddr + offset)
> File "C:\Volatility3\forensics\object.py", line 71, in read_value
>    buf = addr_space.read(vaddr, type_size)
> File "C:\Volatility3\forensics\x86.py", line 124, in read
>    paddr = self.vtop(vaddr)
> File "C:\Volatility3\forensics\x86.py", line 109, in vtop
>    if self.entry_present(pgd):
> File "C:\Volatility3\forensics\x86.py", line 72, in entry_present
>    if (entry & (0x00000001)) == 0x00000001:
> TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
>
> ==================================================================
>
>
> Detective Ritch Gilleland, EnCE, CCI
> Sacramento Police Department
> Office: 916-808-0564
> RGilleland@pd.cityofsacramento.org
>>>> Mark Morgan <mark.morgan47@gmail.com> 10/06/09 9:48 AM >>>
> I have a hiberfil.sys file from a windows xp sp3 machine and I am
> trying to
> convert it to dd using the hibinfo script in volatility. I keep
> getting an
> error half through the script as follows:
>
> $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\
> Morgan/My\
> Doc
> uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/
> Mark\
> Morgan/
> My\ Documents/Hiberfil\ Test/hiber.dd
> Signature:
> SystemTime: Thu Jan 01 00:00:00 1970
>
> Control registers flags
> CR0: 80010031
> CR0[PAGING]: 1
> CR3: 0afc0080
> CR4: 000006f1
> CR4[PSE]: 1
> CR4[PAE]: 1
> Traceback (most recent call last):
>   File "volatility", line 219, in <module>
>     main()
>   File "volatility", line 212, in main
>     modules[argv[1]].execute(argv[1], argv[2:])
>   File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute
>     self.cmd_execute(module, args)
>   File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo
>     (major,minor,build) = hiberAS.get_version()
>   File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py",
> line
> 452, in
> get_version
>     addr_space = IA32PagedMemoryPae(self,self.CR3)
> NameError: global name 'IA32PagedMemoryPae' is not defined
>
>
> I am wondering if it is because this is a sp3 box??? Any help
> would be
> appreciated.
>
>
> Mark Morgan
> 702-942-2556
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>