3:03 p.m.
On this mailing list there was some discussion about hibernation files
with the first page (0x1000 bytes) zeroed out. The SVN version of hibinfo
converts one of these "inactive" hibernation files into a raw dd-type
image. But that seems to be all the support it currently has.
As an experiment, we changed is_hiberfil() to always return True and ran
the Volatility commands on an inactive hibernation file. They all appear
to run successfully.
So this leads to a few questions:
1) Was that just a fluke of the file we used that the Volatility commands
worked?
2) Are there any plans to identify/support hibernation files with the
first page zeroed out?
3) Can we assume that a file with the first 0x1000 bytes zeroed out is a
hibernation file?
4) If the answer to (2) is 'no' and the answer to (3) is 'yes', where
can
we submit a patch?
Thanks
-matthew
6:48 p.m.
Matthew,
1. It was not a fluke, and such files should work in general. Most of
the important information in the hibernation file is not kept in the
first page.
2. It's a possibility. The main problem right now, as you identified,
is distinguishing between a plain dd dump and a zeroed hibernation
file--there's no signature to check.
3. No. I believe that in some dd images, the first physical page is
inaccessible, and zeroes may be written. If you can think of a way to
detect these files that reliably distinguishes them from dd dumps, I
think we'd love to have such support!
Checking for the string "\x81\x81xpress" at offset 0x4000 *may* work,
as 0x4000 is usually where the compressed data starts, and compressed
blocks start with that signature. I just tried adding this as a
secondary check to is_hiberfil, and it works on my very limited test
cases (one active hiberfile, one zeroed hiberfile, and two DD
images). I'd want it to get a lot more testing before putting it into
production, though...
In any case, here's a patch for others to try out:
http://amnesia.gtisc.gatech.edu/~moyix/hibdetect.patch
The best thing would be to test a large corpus of DD and hibernation
files, and make sure there are no false positives. Anyone got one of
those sitting around? ;)
Thanks,
Brendan
On Oct 27, 2009, at 3:03 PM, Matthew Donovan wrote:
On this mailing list there was some discussion about
hibernation files
with the first page (0x1000 bytes) zeroed out. The SVN version of
hibinfo
converts one of these "inactive" hibernation files into a raw dd-type
image. But that seems to be all the support it currently has.
As an experiment, we changed is_hiberfil() to always return True
and ran
the Volatility commands on an inactive hibernation file. They all
appear
to run successfully.
So this leads to a few questions:
1) Was that just a fluke of the file we used that the Volatility
commands
worked?
2) Are there any plans to identify/support hibernation files with the
first page zeroed out?
3) Can we assume that a file with the first 0x1000 bytes zeroed
out is a
hibernation file?
4) If the answer to (2) is 'no' and the answer to (3) is 'yes',
where can
we submit a patch?
Thanks
-matthew
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
7:25 p.m.
http://lists.volatilityfoundation.org/pipermail/vol-users/2008-September/00…
--
Matthieu Suiche
On Tue, Oct 27, 2009 at 11:48 PM, Brendan Dolan-Gavitt
<bdolangavitt(a)wesleyan.edu> wrote:
Matthew,
1. It was not a fluke, and such files should work in general. Most of the
important information in the hibernation file is not kept in the first page.
2. It's a possibility. The main problem right now, as you identified, is
distinguishing between a plain dd dump and a zeroed hibernation
file--there's no signature to check.
3. No. I believe that in some dd images, the first physical page is
inaccessible, and zeroes may be written. If you can think of a way to detect
these files that reliably distinguishes them from dd dumps, I think we'd
love to have such support!
Checking for the string "\x81\x81xpress" at offset 0x4000 *may* work, as
0x4000 is usually where the compressed data starts, and compressed blocks
start with that signature. I just tried adding this as a secondary check to
is_hiberfil, and it works on my very limited test cases (one active
hiberfile, one zeroed hiberfile, and two DD images). I'd want it to get a
lot more testing before putting it into production, though...
In any case, here's a patch for others to try out:
http://amnesia.gtisc.gatech.edu/~moyix/hibdetect.patch
The best thing would be to test a large corpus of DD and hibernation files,
and make sure there are no false positives. Anyone got one of those sitting
around? ;)
Thanks,
Brendan
On Oct 27, 2009, at 3:03 PM, Matthew Donovan wrote:
On this mailing list there was some discussion
about hibernation files
with the first page (0x1000 bytes) zeroed out. The SVN version of hibinfo
converts one of these "inactive" hibernation files into a raw dd-type
image. But that seems to be all the support it currently has.
As an experiment, we changed is_hiberfil() to always return True and ran
the Volatility commands on an inactive hibernation file. They all appear
to run successfully.
So this leads to a few questions:
1) Was that just a fluke of the file we used that the Volatility commands
worked?
2) Are there any plans to identify/support hibernation files with the
first page zeroed out?
3) Can we assume that a file with the first 0x1000 bytes zeroed out is a
hibernation file?
4) If the answer to (2) is 'no' and the answer to (3) is 'yes', where
can
we submit a patch?
Thanks
-matthew
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
7:38 p.m.
Thanks, I must have missed that post :) So it sounds like that
technique should work out fine.
-Brendan
On Oct 27, 2009, at 7:25 PM, Matthieu Suiche wrote:
http://lists.volatilityfoundation.org/pipermail/vol-users/2008-September/
000055.html
--
Matthieu Suiche
On Tue, Oct 27, 2009 at 11:48 PM, Brendan Dolan-Gavitt
<bdolangavitt(a)wesleyan.edu> wrote:
Matthew,
1. It was not a fluke, and such files should work in general. Most
of the
important information in the hibernation file is not kept in the
first page.
2. It's a possibility. The main problem right now, as you
identified, is
distinguishing between a plain dd dump and a zeroed hibernation
file--there's no signature to check.
3. No. I believe that in some dd images, the first physical page is
inaccessible, and zeroes may be written. If you can think of a way
to detect
these files that reliably distinguishes them from dd dumps, I
think we'd
love to have such support!
Checking for the string "\x81\x81xpress" at offset 0x4000 *may*
work, as
0x4000 is usually where the compressed data starts, and compressed
blocks
start with that signature. I just tried adding this as a secondary
check to
is_hiberfil, and it works on my very limited test cases (one active
hiberfile, one zeroed hiberfile, and two DD images). I'd want it
to get a
lot more testing before putting it into production, though...
In any case, here's a patch for others to try out:
http://amnesia.gtisc.gatech.edu/~moyix/hibdetect.patch
The best thing would be to test a large corpus of DD and
hibernation files,
and make sure there are no false positives. Anyone got one of
those sitting
around? ;)
Thanks,
Brendan
On Oct 27, 2009, at 3:03 PM, Matthew Donovan wrote:
On this mailing list there was some discussion
about hibernation
files
with the first page (0x1000 bytes) zeroed out. The SVN version
of hibinfo
converts one of these "inactive" hibernation files into a raw dd-
type
image. But that seems to be all the support it currently has.
As an experiment, we changed is_hiberfil() to always return True
and ran
the Volatility commands on an inactive hibernation file. They
all appear
to run successfully.
So this leads to a few questions:
1) Was that just a fluke of the file we used that the Volatility
commands
worked?
2) Are there any plans to identify/support hibernation files
with the
first page zeroed out?
3) Can we assume that a file with the first 0x1000 bytes zeroed
out is a
hibernation file?
4) If the answer to (2) is 'no' and the answer to (3) is 'yes',
where can
we submit a patch?
Thanks
-matthew
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5497
days inactive
5497
days old
vol-users@lists.volatilityfoundation.org
3 comments
3 participants
participants (3)
-
Brendan Dolan-Gavitt -
Matthew Donovan -
Matthieu Suiche