> Date: Mon, 24 Mar 2014 22:11:04 -0500
> From: atcuno@gmail.com
> To: andybellman@outlook.com; vol-users@volatilesystems.com
> Subject: Re: [Vol-users] Extracting document files from hiberfil.sys
>
> If you just want to pull files out then you should try the dumpfiles [1]
> plugin. You can filter it with the -r option to say for all *.txt files.
> Obviously txt files can be edited with something besides notepad, but
> its at least a start.
>
> Also to help filter your vaddump output you could use vadinfo to
> determine which file the particular VAD is mapping and then only dump
> those of interest.
>
> Thanks,
> Andrew (@attrc)
>
> [1] https://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
>
> On 3/24/2014 6:38 PM, Andy Bellman wrote:
> >
> > Hello again,
> >
> >
> > So, now that I am using the right profile, the plug ins seem to work.
> >
> >
> > My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from a Win 7 SP1 64 bit system.
> >
> >
> > My next step seemed to be using pslist to get the PIDs, and putting those into one of the built in plugins.
> >
> >
> > I've tried dumpfiles, vaddump, memdump, and some others.
> >
> >
> > It looks like I should be able to piece something together between the results of dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that out yet. I'm wondering if there is a more specific switch. They both seem to produce a lot more files than I need.
> >
> >
> > Is there a better way to use volatility's built in tools to pull out files from notepad?
> >
> >
> > Is there an add on that I can download which will pull out something more quickly and cleanly?
> >
> >
> > Thanks,
> > andybellman@outlook.com
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users@volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >