Re: [Vol-users] Hiberfil information
10 Mar
2012
10 Mar
'12
9:16 a.m.
Rob,
No worries...This will most likely be covered in our upcoming patch.
Would you be willing to send us a couple of formatting sections from the
file? This would allows us to easily confirm that your sample will be
supported with the upcoming patch. In the interim, you may try using
MoonSol's tool to convert the sample to a raw dd format.
Thanks,
AW
On Sat, 10 Mar 2012, Dewhirst, Rob wrote:
Sadly I can't share the sample. This is from an
x86 Windows 7 system.
I believe it had 4GB of RAM.
On Sat, Mar 10, 2012 at 7:51 AM, AAron Walters <awalters(a)4tphi.net> wrote:
Rob,
Thanks for the email. It means that Volatility is not able to automatically
identify a suitable address space. Do you have any information about the
system the hiberfil was collected from (OS, Hardware Architecture, Size of
Ram, etc). We have a big patch coming in the next release that should
expand the hiberfil support. Would you be able to share the sample?
Thanks,
AW
On Fri, 9 Mar 2012, Dewhirst, Rob wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Does this mean volatility can't identify the
hiberfil?
$ python ~/Volatility/vol.py hibinfo -f hiberfile.sys
Volatile Systems Volatility Framework 2.1_alpha
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
EWFAddressSpace: No base address space provided
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
EWFAddressSpace: EWF signature not present
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users