I checked my copy of the filescan results. There were three listings which mentioned a directory where a lot of text files were saved, some of them likely open for editing. Nothing showed up in the dump directory for any of them(using -Q OFFSET), so I guess that means there was nothing there that dumpfiles recognizes, or that they weren't in memory.
My hiberfil.sys is a bit over two gigs, and my pagefile.sys a bit under seven. I expect that this could be part of my problem, but I'm ignorant enough that I couldn't say.
> Subject: Re: [Vol-users] Extracting document files from hiberfil.sys
> To: atcuno@gmail.com; vol-users-bounces@volatilesystems.com; andybellman@outlook.com; vol-users@volatilesystems.com
> From: jamie@memoryanalysis.net
> Date: Tue, 25 Mar 2014 10:35:28 +0000
>
> If the files are no longer referenced by a process, you can use filescan to get the offset and try to dump the files w/dumpfiles and the -Q switch and the file's offset you got from filescan (-Q OFFSET).
>
> All the best,
>
> -gleeda
>
>
> -----Original Message-----
> From: Andrew Case <atcuno@gmail.com>
> Sender: vol-users-bounces@volatilityfoundation.org
> Date: Mon, 24 Mar 2014 22:11:04
> To: Andy Bellman<andybellman@outlook.com>; vol-users@volatilityfoundation.org<vol-users@volatilityfoundation.org>
> Subject: Re: [Vol-users] Extracting document files from hiberfil.sys
>
> If you just want to pull files out then you should try the dumpfiles [1]
> plugin. You can filter it with the -r option to say for all *.txt files.
> Obviously txt files can be edited with something besides notepad, but
> its at least a start.
>
> Also to help filter your vaddump output you could use vadinfo to
> determine which file the particular VAD is mapping and then only dump
> those of interest.
>
> Thanks,
> Andrew (@attrc)
>
> [1] https://code.google.com/p/volatility/wiki/CommandReference23#dumpfiles
>
> On 3/24/2014 6:38 PM, Andy Bellman wrote:
> >
> > Hello again,
> >
> >
> > So, now that I am using the right profile, the plug ins seem to work.
> >
> >
> > My goal is recovering unsaved notepad files from hibernation. I have a hiberfil.sys from a Win 7 SP1 64 bit system.
> >
> >
> > My next step seemed to be using pslist to get the PIDs, and putting those into one of the built in plugins.
> >
> >
> > I've tried dumpfiles, vaddump, memdump, and some others.
> >
> >
> > It looks like I should be able to piece something together between the results of dumpfiles with a PID switch, and of vaddump with a PID switch. I haven't figured that out yet. I'm wondering if there is a more specific switch. They both seem to produce a lot more files than I need.
> >
> >
> > Is there a better way to use volatility's built in tools to pull out files from notepad?
> >
> >
> > Is there an add on that I can download which will pull out something more quickly and cleanly?
> >
> >
> > Thanks,
> > andybellman@outlook.com
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users@volatilesystems.com
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users