2:01 p.m.
All,
I have a hibernation file from a Windows 7 machine that when I run hibinfo against it, I
get the output below. Has anyone seen this before? I'm using the latest version of
volatility from github, as of today. The command I used was vol.py -f hiberfil.sys
--profile==Win7SP1x86 hibinfo. Other plugins fail as well. Converting the file to raw
format using imagecopy and using other plugins didn't work either.
Thanks for the help!Kevin
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win7SP1x86 selected
IA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: No valid DTB found
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
2:38 p.m.
Hi Kevin,
Just to check: are you sure it's a 32bit Windows 7 machine? If not, try
the Win7SP1x64 profile and see if that works.
Also, please make sure that there is actually data in the hibernation
file (that it is not all zeroes). You can do this with linux:
$ xxd hiberfil.sys |grep -v "0000 0000 0000 0000 0000 0000 0000 0000"
or
$ <hiberfil.sys tr -d '\0' | read -n 1 || echo "all zeroes"
Let me know if things still don't work and I'll see if I can help you
troubleshoot it further.
All the best,
-Jamie
On 6/13/16 2:01 PM, Kevin Marker wrote:
All,
I have a hibernation file from a Windows 7 machine that when I run
hibinfo against it, I get the output below. Has anyone seen this
before? I'm using the latest version of volatility from github, as of
today. The command I used was vol.py -f hiberfil.sys
--profile==Win7SP1x86 hibinfo. Other plugins fail as well. Converting
the file to raw format using imagecopy and using other plugins didn't
work either.
Thanks for the help!
Kevin
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win7SP1x86 selected
IA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: No valid DTB found
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
4:14 p.m.
One other thing to remember about hibernations files is that Windows needs
to ensure that there's enough space on the drive in order to hibernate the
computer, so it'll just allocate space on the disk for the hibernation
file. If the computer has never been hibernated, you sometimes get a
hibernation file that is all zeros, and in even odder cases, you'll get a
hibernation file that just traps a bunch of old unallocated hard drive data.
tl;dr - Not all hibernation files actually contain hibernation data.
On Mon, Jun 13, 2016 at 2:33 PM Jamie Levy <jamie(a)memoryanalysis.net> wrote:
Hi Kevin,
Just to check: are you sure it's a 32bit Windows 7 machine? If not, try
the Win7SP1x64 profile and see if that works.
Also, please make sure that there is actually data in the hibernation
file (that it is not all zeroes). You can do this with linux:
$ xxd hiberfil.sys |grep -v "0000 0000 0000 0000 0000 0000 0000 0000"
or
$ <hiberfil.sys tr -d '\0' | read -n 1 || echo "all zeroes"
Let me know if things still don't work and I'll see if I can help you
troubleshoot it further.
All the best,
-Jamie
On 6/13/16 2:01 PM, Kevin Marker wrote:
All,
I have a hibernation file from a Windows 7 machine that when I run
hibinfo against it, I get the output below. Has anyone seen this
before? I'm using the latest version of volatility from github, as of
today. The command I used was vol.py -f hiberfil.sys
--profile==Win7SP1x86 hibinfo. Other plugins fail as well. Converting
the file to raw format using imagecopy and using other plugins didn't
work either.
Thanks for the help!
Kevin
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VMWareMetaAddressSpace: VMware metadata file is not available
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareAddressSpace: Invalid VMware signature: 0x0
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile Win7SP1x86 selected
IA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: No valid DTB found
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jamie Levy (@gleeda)
Blog: http://volatility-labs.blogspot.com/
GPG: http://pgp.mit.edu/pks/lookup?op=get&search=0x196B2AB527A4AC92
Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3076
days inactive
3076
days old
vol-users@lists.volatilityfoundation.org
2 comments
3 participants
participants (3)
-
Jamie Levy -
Joe Sylve -
Kevin Marker