Windows XP SP3 iber...
 
Notifications
Clear all

Windows XP SP3 ibernation file

6 Posts
4 Users
0 Reactions
601 Views
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

Hello everyone, is anyone aware of a tool that can be used to analyze informations stored in windows xp ibernation file?


   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

If you mean the hibernation file, I'd check out Volatility….


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

yeh sorry for all my typho, i'm not native english and many times i write things wrong )

thnx, i'm checking volatility and memoryze.

volatility seems to be able to convert an hibernation file to a flat image.


   
ReplyQuote
harryparsonage
(@harryparsonage)
Estimable Member
Joined: 20 years ago
Posts: 184
 

I thought I would point you to this blog but we may both have language problems!

http//cci.cocolog-nifty.com/blog/2010/02/encase-enscript.html

I don't know if it will do the hibernation file just a suggestion for further research. I think there is some English language on there if you click a bit further.

H


   
ReplyQuote
(@minesh)
Trusted Member
Joined: 18 years ago
Posts: 75
 

Volatility, Sandman Framework and X-Ways Forensics should help.

You can decompress the hiberfil.sys in X-Ways and then analyse as you normally would (for example, within EnCase or any of the above tools).

FYI, It is compressed using the 'Xpress' algorithm, which was first reverse engineered by Matthieu Suiche (http//www.msuiche.net).

Minesh


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
Topic starter  

Thnx a lot for your help )

just another question, do you know if it's possible to analyze vmware ESX VM running states?

like a machine wich is paused and then acquired from the ESX server for forensic purposes, i was interested in analyzing the ram file (.nvram ?), is this a proprietary format or a flat image? is there any tool that i can use to analyze it?

it's a 2k3 domain controller virtualized with ESX

thnx again for the help )


   
ReplyQuote
Share: