Re: [Vol-users] Extracting document files from hiberfil.sys
24 Mar
2014
24 Mar
'14
11:11 p.m.
If you just want to pull files out then you should try the dumpfiles [1]
plugin. You can filter it with the -r option to say for all *.txt files.
Obviously txt files can be edited with something besides notepad, but
its at least a start.
Also to help filter your vaddump output you could use vadinfo to
determine which file the particular VAD is mapping and then only dump
those of interest.
Thanks,
Andrew (@attrc)
[1] https://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
On 3/24/2014 6:38 PM, Andy Bellman wrote:
Hello again,
So, now that I am using the right profile, the plug ins seem to work.
My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from
a Win 7 SP1 64 bit system.
My next step seemed to be using pslist to get the PIDs, and putting those into one of the
built in plugins.
I've tried dumpfiles, vaddump, memdump, and some others.
It looks like I should be able to piece something together between the results of
dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that
out yet. I'm wondering if there is a more specific switch. They both seem to produce
a lot more files than I need.
Is there a better way to use volatility's built in tools to pull out files from
notepad?
Is there an add on that I can download which will pull out something more quickly and
cleanly?
Thanks,
andybellman(a)outlook.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users