Your hibernation file in a nutshell – Part II

>> Part I < <
As I said in MoonSols blog, I decided to release the actual version of hibrshell as a free non-opensource tool. The current version is alpha, this means the project is still in developpement.

You can find hibrshell at the following link: http://www.msuiche.net/hibrshell/

Present:
* The actual version can read the hibernation file from a hibernated or resumed computer — this means hibrshell don’t mind if the first page (header) had been wiped or not.
* Moreover, Windows XP, 2003, Vista and 2008 hibernation file are compliant with hibrshell. Probably Windows Seven too — but I donnot have tested it.
* hibrshell uses Microsoft Debugging Symbols technology this explains why it is able to list process regardless of the target version.
* Only few basis features are actually provided.

help

Future:
* hibr2dmp command. To convert Microsoft hibernation file to an Microsoft crash dump file. I guess I’d be easier and more powerful to proceed to an advanced analysis with WinDbg than with my little swissknife.
* Support for Microsoft crash dump files, and raw memory snapshot will be added.

4 thoughts on “Your hibernation file in a nutshell – Part II

  1. I am very interested of your hiber-examiner. I have tried to run the ha.exe but I get the error-message “cannot open file”. I put the hiberfil.sys in the same folder as the ha.exe and the “loading hiberfil.sys” starts but ends with the error. Do you have any idea of what I am doing wrong?

    Martin

  2. Mr Suiche
    I have used your Hibrshell a lot and find it VERY Useful. Thank you. I am having a problem loading one particular hiberfil.sys file. The file is from a Win 2000 box that was using EFS. When I run Hibrshell, after loading the symbols I get an error at “Retrieving Kernel Image Base” and ha.exe opens a debugger. In the debugger I have an “unhandled win 32 exception”. Any command line troubleshooting I can try?

    Cheers
    Rick
    forensiczone.com

  3. @Rick: Thanks for your interest in my tools. Sorry for the late reply. The actual version of SandMan only support version from Windows XP and higher. But I plan to release an update in the following months to support Windows 2000 and to release aditionnal tools.

Comments are closed.