AAron Walters <awalters@4tphi.net> · 12/09/2008 17:34

Jean-Francois,

Can you please clarify what you mean by a "dead system"? The
real question 

is whether the system was hibernating when it "died".  Can
you do me a 

favor and open the file in a hex editor? Has the first page been zeroed

out?  In that instance, it needs a little extra processing but it
can 

still be analyzed.

As for Sandman, I don't think the public black hat released supported 

hiberfils that were not in use. Matthieu is a member of this list and 

would be able to confirm that.  If you use IRC and want to discuss
it 

more, you may also consider joining the #volatility channel where we all

hang out.

Thanks,

AW

On Fri, 12 Sep 2008, Jean-Francois Ragu wrote:

> Hi all,

>

> Please, is it possible to examine hiberfil.sys file (extracted from
a

> "dead" system) directly with volatility such as ?

>   python volatility pslist -f c:\tmp\hiberfil.sys    =>
Error : Unable to

> locate valid DTB in Image

>

> or do I have to convert it before in an other format ?

>

> Thanks

> Have a good weekend

> :)

>

> Best regards

> Jean Francois

>

>

>

> Sauf indication contraire ci-dessus:/ Unless stated otherwise above:

> Compagnie IBM France

> Siège Social : Tour Descartes, 2, avenue Gambetta, La Défense 5, 92400

> Courbevoie

> RCS Nanterre 552 118 465

> Forme Sociale : S.A.S.

> Capital Social : 542.737.118 euros

> SIREN/SIRET : 552 118 465 02430

>

>

From:	AAron Walters <awalters@4tphi.net>
To:	Jean-Francois Ragu/France/IBM@IBMFR
Cc:	vol-users@volatilityfoundation.org
Date:	12/09/2008 17:34
Subject:	Re: [Vol-users] hiberfil.sys