RE: [Vol-users] Extracting document files from hiberfil.sys
Andy Bellman
18 Apr
2014
18 Apr
'14
4:58 p.m.
Jamie,
I checked my copy of the filescan results. There were three listings which mentioned a
directory where a lot of text files were saved, some of them likely open for editing.
Nothing showed up in the dump directory for any of them(using -Q OFFSET), so I guess that
means there was nothing there that dumpfiles recognizes, or that they weren't in
memory.
My hiberfil.sys is a bit over two gigs, and my pagefile.sys a bit under seven. I expect
that this could be part of my problem, but I'm ignorant enough that I couldn't
say.
Thank you,
andybellman(a)outlook.com
Subject: Re: [Vol-users] Extracting document files
from hiberfil.sys
To: atcuno(a)gmail.com; vol-users-bounces(a)volatilityfoundation.org;
andybellman(a)outlook.com; vol-users(a)volatilityfoundation.org
From: jamie(a)memoryanalysis.net
Date: Tue, 25 Mar 2014 10:35:28 +0000
If the files are no longer referenced by a process, you can use filescan to get the
offset and try to dump the files w/dumpfiles and the -Q switch and the file's offset
you got from filescan (-Q OFFSET).
All the best,
-gleeda
-----Original Message-----
From: Andrew Case <atcuno(a)gmail.com>
Sender: vol-users-bounces(a)volatilityfoundation.org
Date: Mon, 24 Mar 2014 22:11:04
To: Andy Bellman<andybellman(a)outlook.com>;
vol-users@volatilesystems.com<vol-users@volatilityfoundation.org>
Subject: Re: [Vol-users] Extracting document files from hiberfil.sys
If you just want to pull files out then you should try the dumpfiles [1]
plugin. You can filter it with the -r option to say for all *.txt files.
Obviously txt files can be edited with something besides notepad, but
its at least a start.
Also to help filter your vaddump output you could use vadinfo to
determine which file the particular VAD is mapping and then only dump
those of interest.
Thanks,
Andrew (@attrc)
[1] https://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
On 3/24/2014 6:38 PM, Andy Bellman wrote:
Hello again,
So, now that I am using the right profile, the plug ins seem to work.
My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from
a Win 7 SP1 64 bit system.
My next step seemed to be using pslist to get the PIDs, and putting those into one of the
built in plugins.
I've tried dumpfiles, vaddump, memdump, and some others.
It looks like I should be able to piece something together between the results of
dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that
out yet. I'm wondering if there is a more specific switch. They both seem to produce
a lot more files than I need.
Is there a better way to use volatility's built in tools to pull out files from
notepad?
Is there an add on that I can download which will pull out something more quickly and
cleanly?
Thanks,
andybellman(a)outlook.com
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Attachments:
- attachment.html (text/html — 4.1 KB)