ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

hiberfil.sys imagecopy same size and not able to read #477

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Extract a Win7SP1x86 hiberfil.sys
2. The file hiberfil.sys is the same size as the extracted hiberfil.img
3. command used vol.exe imagecopy --profile=Win7SP1x86 -f hiberfil.sys -O 
hiberfil.img
4. tried both linux and windows versions

What is the expected output? What do you see instead?

Have seen on other hiberfil.sys files the size of the image is greater.  This 
has happened on more than one occasion.

What version of the product are you using? On what operating system?

2.3.1

Please provide any additional information below.

Just wondering if there are some issues with various hiberfil.sys file that do 
not convert?

Original issue reported on code.google.com by neivie...@gmail.com on 11 Feb 2014 at 8:10

GoogleCodeExporter commented 9 years ago
Are you able to get anything from the hibernation file without converting it?  
Like if you run pslist on it directly?  Can you run kdbgscan on the converted 
sample and paste it in here?

Original comment by jamie.l...@gmail.com on 12 Feb 2014 at 9:54

GoogleCodeExporter commented 9 years ago
Closing this issue due to lack of information, however we've followed up with 
neivie515 via email and will reopen the issue if necessary. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 4:03

GoogleCodeExporter commented 9 years ago
sorry haven't found an example that I can share the actual hiberfil.sys 
file...i'll keep searching

Original comment by neivie...@gmail.com on 18 Mar 2014 at 1:00

GoogleCodeExporter commented 9 years ago
found a hiberfil.sys that does not expand that I can share

I have it hosted via owncloud

please advise and email address to send the link to

Original comment by neivie...@gmail.com on 2 Jun 2014 at 7:18

GoogleCodeExporter commented 9 years ago
please send it to me at: jamie.levy @ gmail . com

Original comment by jamie.l...@gmail.com on 3 Jun 2014 at 3:23