Re: [Vol-users] hibinfo script

Mark, Let me know if you figure it out. I just tried the same command and received the following error; ====================================================================== C:\Python25>python \Volatility3\volatility hibinfo -f c:\hiberfil_test\hiberfil.sys -d c:\hibertest.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 00010000 CR0[PAGING]: 0 CR3: 7aed0001 CR4: 00010000 CR4[PSE]: 0 CR4[PAE]: 0 Traceback (most recent call last): File "\Volatility3\volatility", line 219, in <module> main() File "\Volatility3\volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "C:\Volatility3\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "C:\Volatility3\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "C:\Volatility3\forensics\win32\hiber_addrspace.py", line 467, in get_version ['_KGDTENTRY','BaseLow'], NtTibAddr) File "C:\Volatility3\forensics\object.py", line 206, in read_obj return read_value(addr_space, current_type, vaddr + offset) File "C:\Volatility3\forensics\object.py", line 71, in read_value buf = addr_space.read(vaddr, type_size) File "C:\Volatility3\forensics\x86.py", line 124, in read paddr = self.vtop(vaddr) File "C:\Volatility3\forensics\x86.py", line 109, in vtop if self.entry_present(pgd): File "C:\Volatility3\forensics\x86.py", line 72, in entry_present if (entry & (0x00000001)) == 0x00000001: TypeError: unsupported operand type(s) for &: 'NoneType' and 'int' ================================================================== Detective Ritch Gilleland, EnCE, CCI Sacramento Police Department Office: 916-808-0564 RGilleland(a)pd.cityofsacramento.org I have a hiberfil.sys file from a windows xp sp3 machine and I am trying to convert it to dd using the hibinfo script in volatility. I keep getting an error half through the script as follows: $ python volatility hibinfo -f /c/Documents\ and\ Settings/Mark\ Morgan/My\ Doc uments/Hiberfil\ Test/hiberfil.sys -d /c/Documents\ and\ Settings/Mark\ Morgan/ My\ Documents/Hiberfil\ Test/hiber.dd Signature: SystemTime: Thu Jan 01 00:00:00 1970 Control registers flags CR0: 80010031 CR0[PAGING]: 1 CR3: 0afc0080 CR4: 000006f1 CR4[PSE]: 1 CR4[PAE]: 1 Traceback (most recent call last): File "volatility", line 219, in <module> main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "c:\Volatility-1.3_Beta\vmodules.py", line 62, in execute self.cmd_execute(module, args) File "c:\Volatility-1.3_Beta\vmodules.py", line 1677, in hibinfo (major,minor,build) = hiberAS.get_version() File "c:\Volatility-1.3_Beta\forensics\win32\hiber_addrspace.py", line 452, in get_version addr_space = IA32PagedMemoryPae(self,self.CR3) NameError: global name 'IA32PagedMemoryPae' is not defined I am wondering if it is because this is a sp3 box??? Any help would be appreciated. Mark Morgan 702-942-2556