Hello everyone, is anyone aware of a tool that can be used to analyze informations stored in windows xp ibernation file?
If you mean the hibernation file, I'd check out Volatility….
yeh sorry for all my typho, i'm not native english and many times i write things wrong )
thnx, i'm checking volatility and memoryze.
volatility seems to be able to convert an hibernation file to a flat image.
I thought I would point you to this blog but we may both have language problems!
http//
I don't know if it will do the hibernation file just a suggestion for further research. I think there is some English language on there if you click a bit further.
H
Volatility, Sandman Framework and X-Ways Forensics should help.
You can decompress the hiberfil.sys in X-Ways and then analyse as you normally would (for example, within EnCase or any of the above tools).
FYI, It is compressed using the 'Xpress' algorithm, which was first reverse engineered by Matthieu Suiche (http//
Minesh
Thnx a lot for your help )
just another question, do you know if it's possible to analyze vmware ESX VM running states?
like a machine wich is paused and then acquired from the ESX server for forensic purposes, i was interested in analyzing the ram file (.nvram ?), is this a proprietary format or a flat image? is there any tool that i can use to analyze it?
it's a 2k3 domain controller virtualized with ESX
thnx again for the help )