Re: [Vol-users] Windows 7 Hibernation File
13 Jun
2016
13 Jun
'16
2:38 p.m.
Hi Kevin,
Just to check: are you sure it's a 32bit Windows 7 machine? If not, try
the Win7SP1x64 profile and see if that works.
Also, please make sure that there is actually data in the hibernation
file (that it is not all zeroes). You can do this with linux:
$ xxd hiberfil.sys |grep -v "0000 0000 0000 0000 0000 0000 0000 0000"
or
$ <hiberfil.sys tr -d '\0' | read -n 1 || echo "all zeroes"
Let me know if things still don't work and I'll see if I can help you
troubleshoot it further.
All the best,
-Jamie
On 6/13/16 2:01 PM, Kevin Marker wrote:
All,
I have a hibernation file from a Windows 7 machine that when I run
hibinfo against it, I get the output below. Has anyone seen this
before? I'm using the latest version of volatility from github, as of
today. The command I used was vol.py -f hiberfil.sys
--profile==Win7SP1x86 hibinfo. Other plugins fail as well. Converting
the file to raw format using imagecopy and using other plugins didn't
work either.
Thanks for the help!
Kevin
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win7SP1x86 selected
IA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: No valid DTB found
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92