Your hibernation file in a nutshell – Part II

Posted by Matthieu Suiche on December 13, 2008 · 4 Comments 

>> Part I < <
As I said in MoonSols blog, I decided to release the actual version of hibrshell as a free non-opensource tool. The current version is alpha, this means the project is still in developpement.

You can find hibrshell at the following link: http://www.msuiche.net/hibrshell/

Present:
* The actual version can read the hibernation file from a hibernated or resumed computer — this means hibrshell don’t mind if the first page (header) had been wiped or not.
* Moreover, Windows XP, 2003, Vista and 2008 hibernation file are compliant with hibrshell. Probably Windows Seven too — but I donnot have tested it.
* hibrshell uses Microsoft Debugging Symbols technology this explains why it is able to list process regardless of the target version.
* Only few basis features are actually provided.

help

Future:
* hibr2dmp command. To convert Microsoft hibernation file to an Microsoft crash dump file. I guess I’d be easier and more powerful to proceed to an advanced analysis with WinDbg than with my little swissknife.
* Support for Microsoft crash dump files, and raw memory snapshot will be added.

Filed under SandMan, Windows · Tagged with

Europol High Tech Crime Expert Meeting

Posted by Matthieu Suiche on December 4, 2008 · Leave a Comment 

For people who attend to my talk this week and asked for slides here is where you can download them. If you have any questions I’m reachable at matt#msuiche#net.

Filed under Windows · Tagged with