Andy,

The hibinfo plugin populates items from the hiberfil header.  If the header is zeroed out, then the information is zeroed, too. However, data can still be present and we have a mechanism to find the first page in spite of a zeroed header.  Are you able to get any other information from the hiberfil, like if you run pslist, psscan etc directly over the file?  Also make sure that the entire hiberfil file is not completely zeroed out (this happens sometimes).

All the best,

-Jamie


On 3/7/2014 10:01 AM, Michael Ligh wrote:
Hi Andy, 

It looks like your command-line usage is correct. According to image info, it was not able to find a DTB (its 0x0), so virtual address translation isn’t available (which will indeed break many of the plugins). 

As far as I know, Home Premium should run the same kernel (at least in terms of the critical structures for memory forensics) as other versions of 32-bit Windows 7, but if you happened to have access to the target machine’s disk, you could send me a copy of c:\windows\system32\ntoskrnl.exe and I can verify. 

I’ll also send you a link to the beta 2.4 branch off-list and I’ll have you run a few diagnostic commands. 

Thanks and talk to you soon,
Michael

--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com 
Training: http://memoryanalysis.net

On Mar 5, 2014, at 8:24 PM, Andy Bellman <andybellman@outlook.com> wrote:


Members of the list,

I have been attempting to recover some unsaved files from a hiberfil.sys from a Windows 7 system.  It is from a laptop, I'm pretty sure running Home Premium 32 bit.  

I use an XP system to run the standalone version of Volatility.  Using 'volatility -f hiberfil.sys --profile=Win7SP0x86 imageinfo'  I get:

'         Suggested Profile(s) : No suggestion (Instantiated with Win7SP0x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (I:\hfr\hiberfil.sys)
                      PAE type : PAE
                           DTB : 0x0L
             KUSER_SHARED_DATA : 0xffdf0000L'

Using 'volatility -f hiberfil.sys --profile=Win7SP1x86 hibinfo'  I get:

'Volatility Foundation Volatility Framework 2.3.1
PO_MEMORY_IMAGE:
Signature: HIBR
SystemTime: 1970-01-01 00:00:00 UTC+0000

Control registers flags
CR0: 00000000
CR0[PAGING]: 0
CR3: 00000000
CR4: 00000000
CR4[PSE]: 0
CR4[PAE]: 0

Windows Version is -.- (-)'

Other modules seem to hang, or produce no results.

I thought I must have a bad file, but I got it from the right place, and changing the name or location doesn't seem easy enough that an OEM would do it.

I thought I might be using the tool wrong, but it seems I can get it working better with four out of the five NIST samples linked from the code.google.com/p/volatility/wiki website.

I'm wondering if trying to do something volatility doesn't support yet, or if I am simply making a mistake.

Thanks,
andybellman@outlook.com
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


      

      

      

      
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


    

    

    
-- 
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG:  http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92