[Vol-users] Problems with Win7SP1x64 hiberfil.sys

Hi all, Just trying to figure out where I'm going wrong. I have a hiberfil.sys file from a Win7SP1x64 system. The first 6 pages are full of 0x00 which I believe means the hiberfil was wiped as part of a resume. Having read the AOMF, specifically p98, I expected Volatility to brute force the header and, voila, magic happens. However, Volatility just reports that it wasn't able to find a matching address space: $ python vol.py -f /tmp/hiberfil.sys imageinfo Volatility Foundation Volatility Framework 2.4 Determining profile based on KDBG search... Suggested Profile(s) : No suggestion (Instantiated with Win7SP1x86) AS Layer1 : IA32PagedMemoryPae (Kernel AS) AS Layer2 : WindowsHiberFileSpace32 (Unnamed AS) AS Layer3 : FileAddressSpace (/tmp/hiberfil.sys) PAE type : PAE DTB : 0x185000L KDBG : 0x82d3ac28 Number of Processors : 4 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0x82d3bc00 KPCR for CPU 1 : 0x807c6000 KPCR for CPU 2 : 0x8d300000 KPCR for CPU 3 : 0x8d336000 KUSER_SHARED_DATA : 0xffdf0000 Image date and time : 2014-05-09 15:26:28 UTC+0000 Image local date and time : 2014-05-09 17:26:28 +0200 $ python vol.py -f /tmp/hiberfil.sys --profile=Win7SP1x64 pslist Volatility Foundation Volatility Framework 2.4 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space ... ... If I try an imagecopy, the output file is identical to the original: $ python vol.py -f /tmp/hiberfil.sys --profile=Win7SP1x64 imagecopy -O /tmp/hiberfil.bin Volatility Foundation Volatility Framework 2.4 Writing data (5.00 MB chunks): |.................................................................................................................................................................................................................................................................................................................................................................................................................................................................| bridgey@aspire:~/dev/volatility$ md5sum /tmp/hiberfil.* fee8a1c6924b871477434a678adb4483 /tmp/hiberfil.bin fee8a1c6924b871477434a678adb4483 /tmp/hiberfil.sys And finally, I couldn't find a class for 64-bit hiberfil... $ find -type f -name '*iber*' -exec grep -H ^class.WindowsHi {} \; ./volatility/plugins/addrspaces/hibernate.py:class WindowsHiberFileSpace32(addrspace.BaseAddressSpace): Am I leaping to conclusions, or is a hiberfil from a 64-bit system simply not supported? Would love any comments! Thanks, Adam