Mark,

I have a file for testing at home...
When I get there, after work, I'll try this command out and see what happens.

Carlos Marins.
cemarins@gmail.com
Sent from Brasilia, DF, Brazil
Joan Crawford  - "I, Joan Crawford, I believe in the dollar. Everything I earn, I spend."

On Tue, Oct 6, 2009 at 16:27, Andreas Schuster <a.schuster@yendor.net> wrote:
I'm sorry, that by far exceeds my knowledge about the hibernate stuff. I
don't even have a suitable file for testing on stock. Could someone else
please look into this?

Thanks,
Andreas


Mark Morgan:
> Andreas,
>
> Thanks for the quick reply.  I changed the line as requested and here
> is the error I get:
>
> $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\
> Morgan/My\ Doc
> uments/sandman/hiberfil.sys -d hiber.dd
> Signature:
> SystemTime: Thu Jan 01 00:00:00 1970
>
> Control registers flags
> CR0: 80010031
> CR0[PAGING]: 1
> CR3: 0afc0080
> CR4: 000006f1
> CR4[PSE]: 1
> CR4[PAE]: 1
> Traceback (most recent call last):
>   File "volatility", line 219, in <module>
>     main()
>   File "volatility", line 212, in main
>     modules[argv[1]].execute(argv[1], argv[2:])
>   File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute
>     self.cmd_execute(module, args)
>   File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo
>     (major,minor,build) =  hiberAS.get_version()
>   File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py",
> line 467, in
>  get_version
>     ['_KGDTENTRY','BaseLow'], NtTibAddr)
>   File "c:\Volatility-1.3_Beta\forensics\object.py", line 246, in
> read_obj
>     return read_value(addr_space, current_type, vaddr + offset)
>   File "c:\Volatility-1.3_Beta\forensics\object.py", line 71, in
> read_value
>     buf = addr_space.read(vaddr, type_size)
>   File "c:\Volatility-1.3_Beta\forensics\x86.py", line 313, in read
>     paddr = self.vtop(vaddr)
>   File "c:\Volatility-1.3_Beta\forensics\x86.py", line 294, in vtop
>     if not self.entry_present(pdpe):
>   File "c:\Volatility-1.3_Beta\forensics\x86.py", line 239, in
> entry_present
>     if (entry & (0x00000001)) == 0x00000001:
> TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
>
> And here is the portion of the hiber_addrspace.py that I changed:
>
> from forensics.addrspace import FileAddressSpace
> import forensics.x86
> from forensics.object import *
> from forensics.win32.xpress import xpress_decode
> from thirdparty.progressbar import *
> from forensics.win32.datetime import *
> from vtypes import xpsp2types as types
> from forensics.x86 import IA32PagedMemory,IA32PagedMemoryPae
>
>
> Mark  Morgan
>
> On Tue, Oct 6, 2009 at 11:06 AM, Andreas Schuster
> <a.schuster@yendor.net> wrote:
>         Mark,
>
>         Thank you for your bug report.
>
>         > CR4[PAE]: 1
>
>         >   File "c:\Volatility-1.3_Beta\forensics\win32
>         \hiber_addrspace.py",
>         > line 452, in
>         >  get_version
>         >     addr_space = IA32PagedMemoryPae(self,self.CR3)
>         > NameError: global name 'IA32PagedMemoryPae' is not defined
>
>         > I am wondering if it is because this is a sp3 box???  Any
>         help would
>         > be appreciated.
>
>
>         No, it happens because the system was in PAE mode (CR4[PAE]:
>         1), but the
>         programmer forgot to import the PAE address space.
>
>         Please edit forensics/win32/hiber_addrspace.py, line 43, to
>         become:
>         from forensics.x86 import IA32PagedMemory, IA32PagedMemoryPae
>
>         Please let us know if this fixes the problem.
>
>         Thanks!
>         Andreas
>
>

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users