Let me know what sections you would like and I will
see if I can extract them.
I can't justify the $655 for the Moonsols toolkit right now. The
community edition won't convert windows 7 hibernation files.
On Sat, Mar 10, 2012 at 8:16 AM, AAron Walters <awalters(a)4tphi.net> wrote:
Rob,
No worries...This will most likely be covered in our upcoming patch. Would
you be willing to send us a couple of formatting sections from the file?
This would allows us to easily confirm that your sample will be supported
with the upcoming patch. In the interim, you may try using MoonSol's tool
to convert the sample to a raw dd format.
Thanks,
AW
On Sat, 10 Mar 2012, Dewhirst, Rob wrote:
> Sadly I can't share the sample. This is from an x86 Windows 7 system.
> I believe it had 4GB of RAM.
>
> On Sat, Mar 10, 2012 at 7:51 AM, AAron Walters <awalters(a)4tphi.net> wrote:
>>
>>
>> Rob,
>>
>> Thanks for the email. It means that Volatility is not able to
>> automatically
>> identify a suitable address space. Do you have any information about the
>> system the hiberfil was collected from (OS, Hardware Architecture, Size
>> of
>> Ram, etc). We have a big patch coming in the next release that should
>> expand the hiberfil support. Would you be able to share the sample?
>>
>> Thanks,
>>
>> AW
>>
>>
>>
>> On Fri, 9 Mar 2012, Dewhirst, Rob wrote:
>>
>>> Does this mean volatility can't identify the hiberfil?
>>>
>>> $ python ~/Volatility/vol.py hibinfo -f hiberfile.sys
>>> Volatile Systems Volatility Framework 2.1_alpha
>>> No suitable address space mapping found
>>> Tried to open image as:
>>> WindowsHiberFileSpace32: No base Address Space
>>> EWFAddressSpace: No base address space provided
>>> WindowsCrashDumpSpace32: No base Address Space
>>> AMD64PagedMemory: No base Address Space
>>> JKIA32PagedMemory: No base Address Space
>>> JKIA32PagedMemoryPae: No base Address Space
>>> IA32PagedMemoryPae: Module disabled
>>> IA32PagedMemory: Module disabled
>>> WindowsHiberFileSpace32: No xpress signature found
>>> EWFAddressSpace: EWF signature not present
>>> WindowsCrashDumpSpace32: Header signature invalid
>>> AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>>> JKIA32PagedMemory: No valid DTB found
>>> JKIA32PagedMemoryPae: No valid DTB found
>>> IA32PagedMemoryPae: Module disabled
>>> IA32PagedMemory: Module disabled
>>> FileAddressSpace: Must be first Address Space
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org