Re: [Vol-users] hiberfil.sys
12 Sep
2008
12 Sep
'08
11:08 a.m.
Jean-Francois,
Can you please clarify what you mean by a "dead system"? The real question
is whether the system was hibernating when it "died". Can you do me a
favor and open the file in a hex editor? Has the first page been zeroed
out? In that instance, it needs a little extra processing but it can
still be analyzed.
As for Sandman, I don't think the public black hat released supported
hiberfils that were not in use. Matthieu is a member of this list and
would be able to confirm that. If you use IRC and want to discuss it
more, you may also consider joining the #volatility channel where we all
hang out.
Thanks,
AW
On Fri, 12 Sep 2008, Jean-Francois Ragu wrote:
Hi all,
Please, is it possible to examine hiberfil.sys file (extracted from a
"dead" system) directly with volatility such as ?
python volatility pslist -f c:\tmp\hiberfil.sys => Error : Unable to
locate valid DTB in Image
or do I have to convert it before in an other format ?
Thanks
Have a good weekend
:)
Best regards
Jean Francois
Sauf indication contraire ci-dessus:/ Unless stated otherwise above:
Compagnie IBM France
Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400
Courbevoie
RCS Nanterre 552 118 465
Forme Sociale : S.A.S.
Capital Social : 542.737.118 euros
SIREN/SIRET : 552 118 465 02430