vol-users, Some of you may have noticed that Matthieu Suiche just released a tool for converting hiberfil.sys to a physical memory dump. http://www.msuiche.net/2008/02/26/sandman-10080226-is-out/ We have added support for Sandman generated images of physical memory in the upcoming Volatility 1.3 release. If you would like to play with it before then, I have attached a patch for Volatility-1.1.1. If you get a chance, give it a try. Please let us know, if you have any problems with the Volatility modules! cd Volatility-1.1.1 patch -p1 <Volatility-1.1.1.hiber.patch Thanks, AW