ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Volatility 2.4 fails to decompress win8 hiberfil.sys #511

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Use volatility 2.4
2. obtain hiberfil.sys from Win8 64bit machine (SP0 or 1)
3. attempt to decompress the hibernation file

What is the expected output? What do you see instead?
A decompressed hibernation file that the volatility plugins can work against

What version of the product are you using? On what operating system?
volatility 2.4, from ~beginning of July, running on a modern Linux OS

Please provide any additional information below.
Is this a bug, or has that functionality not been completely built into 2.4 at 
this time?

Original issue reported on code.google.com by BenEatW...@gmail.com on 22 Jul 2014 at 4:19

GoogleCodeExporter commented 9 years ago
Hi - the support for Win8/2012 hibernation files has not been added yet, but 
its one of the very last things on the list. I'll ping you via email once its 
been added in case you want to test. In the meantime, you can use Moonsols 
hibr2bin.exe (however its not free) to convert the memory into a raw format, 
which you can then analyze with Volatility. 

Original comment by michael.hale@gmail.com on 22 Jul 2014 at 7:45

GoogleCodeExporter commented 9 years ago
this has been documented no the new 
tracker:https://github.com/volatilityfoundation/volatility/issues

  closing here

Original comment by jamie.l...@gmail.com on 20 Nov 2014 at 8:24