volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Feature : Hibernation Layer and plugins.

Open forensicxlab opened this issue 2 years ago • 11 comments

Hello,

  • Adding a new translation layer and plugins to allow modern Windows (Win8-Win11) hibernation file conversion to a raw memory image
  • Adding new codecs : LZ77, LZ77Huffman decompression algorithms.

Details about the feature : https://www.forensicxlab.com/posts/hibernation/

Best regards.

forensicxlab avatar Nov 11 '23 17:11 forensicxlab

Thanks very much for your contribution! This is quite a big change, so may take us some time to review (I also need to pull in some of the other guys who wrote our previous hibernation code to check it). So please don't despair, but this may take us some time...

ikelos avatar Nov 15 '23 00:11 ikelos

Hello @ikelos,

Finally found some time to make adjustments to the code. Added a bunch of comments for better readability for the reviewer(s).

I still have doubts about some of my choices for the implementation 🧐 Any news on your side about this PR review ?

Kind regards, Félix.

forensicxlab avatar Feb 04 '24 17:02 forensicxlab

Thanks Félix, unfortunately the chap that knows the hibernation stuff best ( @awalters ) is a little busy at the moment, so we haven't made much progress with it, but we haven't forgotten about it either. Could you describe your worries about the implementations choices you're not sure about please and hopefully one of us will be able to check out your concerns?

ikelos avatar Feb 08 '24 12:02 ikelos

Thanks Félix, unfortunately the chap that knows the hibernation stuff best ( @awalters ) is a little busy at the moment, so we haven't made much progress with it, but we haven't forgotten about it either. Could you describe your worries about the implementations choices you're not sure about please and hopefully one of us will be able to check out your concerns?

Hi @ikelos, I've added some comments about some of my worries and questions :D

Thank you for your quick responses every time.

Kind Regards. Félix.

forensicxlab avatar Feb 08 '24 18:02 forensicxlab

FYI, just used that one on my local vol3 installation during the weekend and must say worked flawlessly. I could convert with no issues the hiberfil.sys to the raw image file that can be analyzed later with vol3 plugins. Thank you @forensicxlab, you're my savior 💚

EDIT: As a bonus, it helped me tremendously at first stage of solving HTB CTF challenge: https://blog.cyberethical.me/htb-cyber-apocalypse-forensics-oblique-final, I really wish the PR got completed soon :) !

KamilPacanek avatar Mar 11 '24 10:03 KamilPacanek

Thanks for the feedback, much appreciated! This is still waiting on @awalters for review at the moment, but we'll get to it once things have calmed down for everyone... 5:)

ikelos avatar Mar 12 '24 00:03 ikelos