One other thing to remember about hibernations files is that Windows needs to ensure that there's enough space on the drive in order to hibernate the computer, so it'll just allocate space on the disk for the hibernation file. If the computer has never been hibernated, you sometimes get a hibernation file that is all zeros, and in even odder cases, you'll get a hibernation file that just traps a bunch of old unallocated hard drive data.
tl;dr - Not all hibernation files actually contain hibernation data.
Hi Kevin,
Just to check: are you sure it's a 32bit Windows 7 machine? If not, try
the Win7SP1x64 profile and see if that works.
Also, please make sure that there is actually data in the hibernation
file (that it is not all zeroes). You can do this with linux:
$ xxd hiberfil.sys |grep -v "0000 0000 0000 0000 0000 0000 0000 0000"
or
$ <hiberfil.sys tr -d '\0' | read -n 1 || echo "all zeroes"
Let me know if things still don't work and I'll see if I can help you
troubleshoot it further.
All the best,
-Jamie
On 6/13/16 2:01 PM, Kevin Marker wrote:
> All,
>
> I have a hibernation file from a Windows 7 machine that when I run
> hibinfo against it, I get the output below. Has anyone seen this
> before? I'm using the latest version of volatility from github, as of
> today. The command I used was vol.py -f hiberfil.sys
> --profile==Win7SP1x86 hibinfo. Other plugins fail as well. Converting
> the file to raw format using imagecopy and using other plugins didn't
> work either.
>
> Thanks for the help!
> Kevin
>
> No suitable address space mapping found
> Tried to open image as:
> MachOAddressSpace: mac: need base
> LimeAddressSpace: lime: need base
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace64BitMap: No base Address Space
> WindowsCrashDumpSpace64: No base Address Space
> HPAKAddressSpace: No base Address Space
> VMWareMetaAddressSpace: No base Address Space
> VirtualBoxCoreDumpElf64: No base Address Space
> VMWareAddressSpace: No base Address Space
> QemuCoreDumpElf: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> AMD64PagedMemory: No base Address Space
> IA32PagedMemoryPae: No base Address Space
> IA32PagedMemory: No base Address Space
> OSXPmemELF: No base Address Space
> MachOAddressSpace: MachO Header signature invalid
> LimeAddressSpace: Invalid Lime header signature
> WindowsHiberFileSpace32: No xpress signature found
> WindowsCrashDumpSpace64BitMap: Header signature invalid
> WindowsCrashDumpSpace64: Header signature invalid
> HPAKAddressSpace: Invalid magic found
> VMWareMetaAddressSpace: VMware metadata file is not available
> VirtualBoxCoreDumpElf64: ELF Header signature invalid
> VMWareAddressSpace: Invalid VMware signature: 0x0
> QemuCoreDumpElf: ELF Header signature invalid
> WindowsCrashDumpSpace32: Header signature invalid
> AMD64PagedMemory: Incompatible profile Win7SP1x86 selected
> IA32PagedMemoryPae: No valid DTB found
> IA32PagedMemory: No valid DTB found
> OSXPmemELF: ELF Header signature invalid
> FileAddressSpace: Must be first Address Space
> ArmAddressSpace: No valid DTB found
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users