Hello all
I'm currently working on my university final year project which is file carving artefacts from Windows hibernation files (hiberfil.sys).
I'll try to keep this post brief but I'm more than happy to discuss it at length.
In order to keep the file size of the hiberfil.sys files down to a minimum, they use a modified version of the LZ77 compression algorithm to compress blocks of data (approx 64KB in size)
I've written my file carver and decode/decompression program but I'm having problems with decompressing the data inside the compressed 'xpress' blocks.
I've based my algorithm on the 'Sandman' project that was released a few years ago but I'm trying to implement the decompression myself, rather than relying on existing tools.
If anyone has any information or experience in dealing with either hiberfil.sys internals or the Microsoft 'xpress' compression I'd appreciate any advice you can provide.
My main problem comes from reading in the first 32-bit bitmask (If you know what I'm talking about I'd love to hear your thoughts ))
Thanks very much
Tony
Something that may give you useful hints (or completely fail to)
http//
this might be the most interesting reference
http//
i.e. it translates "XPRESS" to "win2k3"
and gives a reference to the actual MS documentation.
Additionally, since 7-zip can manage "XPRESS" comressed data, it's source should be a "right" place to look into.
jaclaz
Thanks jaclaz
I've alredy been through those documents and it's some interesting reading.
I need to answer a very particular question about the xpress structure.
I'll take a look into 7-zip again.
Thanks
http//