Re: [Vol-users] hibernation files

Matthew, 1. It was not a fluke, and such files should work in general. Most of the important information in the hibernation file is not kept in the first page. 2. It's a possibility. The main problem right now, as you identified, is distinguishing between a plain dd dump and a zeroed hibernation file--there's no signature to check. 3. No. I believe that in some dd images, the first physical page is inaccessible, and zeroes may be written. If you can think of a way to detect these files that reliably distinguishes them from dd dumps, I think we'd love to have such support! Checking for the string "\x81\x81xpress" at offset 0x4000 *may* work, as 0x4000 is usually where the compressed data starts, and compressed blocks start with that signature. I just tried adding this as a secondary check to is_hiberfil, and it works on my very limited test cases (one active hiberfile, one zeroed hiberfile, and two DD images). I'd want it to get a lot more testing before putting it into production, though... In any case, here's a patch for others to try out: http://amnesia.gtisc.gatech.edu/~moyix/hibdetect.patch The best thing would be to test a large corpus of DD and hibernation files, and make sure there are no false positives. Anyone got one of those sitting around? ;) Thanks, Brendan On Oct 27, 2009, at 3:03 PM, Matthew Donovan wrote: _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users