Windows XP SP3 iber...
 
Notifications
Clear all

Windows XP SP3 ibernation file

6 Posts
4 Users
0 Likes
447 Views
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Hello everyone, is anyone aware of a tool that can be used to analyze informations stored in windows xp ibernation file?

 
Posted : 16/02/2010 5:54 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

If you mean the hibernation file, I'd check out Volatility….

 
Posted : 16/02/2010 5:56 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

yeh sorry for all my typho, i'm not native english and many times i write things wrong )

thnx, i'm checking volatility and memoryze.

volatility seems to be able to convert an hibernation file to a flat image.

 
Posted : 16/02/2010 6:01 pm
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

I thought I would point you to this blog but we may both have language problems!

http//cci.cocolog-nifty.com/blog/2010/02/encase-enscript.html

I don't know if it will do the hibernation file just a suggestion for further research. I think there is some English language on there if you click a bit further.

H

 
Posted : 17/02/2010 12:39 am
(@minesh)
Posts: 75
Trusted Member
 

Volatility, Sandman Framework and X-Ways Forensics should help.

You can decompress the hiberfil.sys in X-Ways and then analyse as you normally would (for example, within EnCase or any of the above tools).

FYI, It is compressed using the 'Xpress' algorithm, which was first reverse engineered by Matthieu Suiche (http//www.msuiche.net).

Minesh

 
Posted : 21/02/2010 5:59 pm
(@rampage)
Posts: 354
Reputable Member
Topic starter
 

Thnx a lot for your help )

just another question, do you know if it's possible to analyze vmware ESX VM running states?

like a machine wich is paused and then acquired from the ESX server for forensic purposes, i was interested in analyzing the ram file (.nvram ?), is this a proprietary format or a flat image? is there any tool that i can use to analyze it?

it's a 2k3 domain controller virtualized with ESX

thnx again for the help )

 
Posted : 21/02/2010 6:08 pm
Share: