RE: [Vol-users] Extracting document files from hiberfil.sys

Date: Mon, 24 Mar 2014 22:11:04 -0500 From: atcuno(a)gmail.com To: andybellman(a)outlook.com; vol-users(a)volatilityfoundation.org Subject: Re: [Vol-users] Extracting document files from hiberfil.sys If you just want to pull files out then you should try the dumpfiles [1] plugin. You can filter it with the -r option to say for all *.txt files. Obviously txt files can be edited with something besides notepad, but its at least a start. Also to help filter your vaddump output you could use vadinfo to determine which file the particular VAD is mapping and then only dump those of interest. Thanks, Andrew (@attrc) [1] https://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles On 3/24/2014 6:38 PM, Andy Bellman wrote: > > Hello again, > > > So, now that I am using the right profile, the plug ins seem to work. > > > My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from a Win 7 SP1 64 bit system. > > > My next step seemed to be using pslist to get the PIDs, and putting those into one of the built in plugins. > > > I've tried dumpfiles, vaddump, memdump, and some others. > > > It looks like I should be able to piece something together between the results of dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that out yet. I'm wondering if there is a more specific switch. They both seem to produce a lot more files than I need. > > > Is there a better way to use volatility's built in tools to pull out files from notepad? > > > Is there an add on that I can download which will pull out something more quickly and cleanly? > > > Thanks, > andybellman(a)outlook.com > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >