Re: [Vol-users] hibinfo script
6 Oct
2009
6 Oct
'09
4:42 p.m.
Quick rule of thumb: if the SystemTime shows up as 1970, it typically
means that the hibernation file was collected while the system was
not actually hibernating. In this case, the first 0x1000 bytes of the
file will be zeroed out, which (in the 1.3 Beta version of
Volatility) causes things to break.
My recommendation is to check out the current SVN version of
Volatility (which will be released as 1.3.1 soon!), which should be
able to convert such files to dd format. Or use Matthieu's Sandman
tools, which support hibernation files with the first page zeroed.
The SVN version can be obtained by running:
svn checkout http://volatility.googlecode.com/svn/trunk/Volatility
-Brendan
On Oct 6, 2009, at 1:32 PM, Richard Gilleland wrote:
Mark,
Let me know if you figure it out. I just tried the same command and
received the following error;
======================================================================
C:\Python25>python \Volatility3\volatility hibinfo -f c:
\hiberfil_test\hiberfil.sys -d c:\hibertest.dd
Signature:
SystemTime: Thu Jan 01 00:00:00 1970
Control registers flags
CR0: 00010000
CR0[PAGING]: 0
CR3: 7aed0001
CR4: 00010000
CR4[PSE]: 0
CR4[PAE]: 0
Traceback (most recent call last):
File "\Volatility3\volatility", line 219, in <module>
main()
File "\Volatility3\volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "C:\Volatility3\vmodules.py", line 62, in execute
self.cmd_execute(module, args)
File "C:\Volatility3\vmodules.py", line 1677, in hibinfo
(major,minor,build) = hiberAS.get_version()
File "C:\Volatility3\forensics\win32\hiber_addrspace.py", line
467, in get_version
['_KGDTENTRY','BaseLow'], NtTibAddr)
File "C:\Volatility3\forensics\object.py", line 206, in read_obj
return read_value(addr_space, current_type, vaddr + offset)
File "C:\Volatility3\forensics\object.py", line 71, in read_value
buf = addr_space.read(vaddr, type_size)
File "C:\Volatility3\forensics\x86.py", line 124, in read
paddr = self.vtop(vaddr)
File "C:\Volatility3\forensics\x86.py", line 109, in vtop
if self.entry_present(pgd):
File "C:\Volatility3\forensics\x86.py", line 72, in entry_present
if (entry & (0x00000001)) == 0x00000001:
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
==================================================================
Detective Ritch Gilleland, EnCE, CCI
Sacramento Police Department
Office: 916-808-0564
RGilleland(a)pd.cityofsacramento.org
>> Mark Morgan
<mark.morgan47(a)gmail.com> 10/06/09 9:48 AM >>>
I have a hiberfil.sys
file from a windows xp sp3 machine and I am
trying to
convert it to dd using the hibinfo script in volatility. I keep
getting an
error half through the script as follows:
$ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\
Morgan/My\
Doc
uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/
Mark\
Morgan/
My\ Documents/Hiberfil\ Test/hiber.dd
Signature:
SystemTime: Thu Jan 01 00:00:00 1970
Control registers flags
CR0: 80010031
CR0[PAGING]: 1
CR3: 0afc0080
CR4: 000006f1
CR4[PSE]: 1
CR4[PAE]: 1
Traceback (most recent call last):
File "volatility", line 219, in <module>
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute
self.cmd_execute(module, args)
File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo
(major,minor,build) = hiberAS.get_version()
File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py",
line
452, in
get_version
addr_space = IA32PagedMemoryPae(self,self.CR3)
NameError: global name 'IA32PagedMemoryPae' is not defined
I am wondering if it is because this is a sp3 box??? Any help
would be
appreciated.
Mark Morgan
702-942-2556
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users