You can find a lot of information about the Hiberfil.sys
on the ForensicWiki page.
Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows hibernation file.
The pdf of project Sandman is found here.
The creators of the Sandman project also created a tool to dump the memory and Hiberfil.sys
-file (and extract it from the XPress compression-format). MoonSols Windows Memory Toolkit
Some of the other links on the ForensicWiki-page don't work anymore but here is one i found: (If you want to dive straight in the format-structure you can use this resource. For the header, the first 8192 bytes of the file, you don't need to uncompress them)
Hibernation File Format.pdf
This last PDF and the last link on the ForensicWiki-page should give you enough information about the structure of the Hiberfil.sys
.
Hibernation files consist of a standard header (PO_MEMORY_IMAGE), a set of kernel contexts and registers such as CR3 (_KPROCESSOR_STATE) and several arrays of compressed/encoded Xpress data blocks (_IMAGE_XPRESS_HEADER and _PO_MEMORY_RANGE_ARRAY).
The standard header exists at offset 0 of the file and is shown below. Generally, the Signature member must be either "hibr" or "wake" to be considered valid, however in rare cases the entire PO_MEMORY_IMAGE header has been zeroed out, which can prevent analysis of the hibernation file in most tools. In those cases, volatility will use a brute force algorithm to locate the data it needs.
The references in those documents should give you plenty of other sources to explore too.
3a hiberfil file is an image of the systems ram at the time it was hibernated. as such, yes, a Hex Editor is likely the best you will get. This task is essentially no different than trying to read the contents of your RAM. – Frank Thomas – 2013-10-16T12:15:43.527
6
Relevant: http://security.stackexchange.com/questions/23787/can-you-extract-memory-contents-from-a-hibernated-windows-machine
– Der Hochstapler – 2013-10-16T12:51:13.7931@FrankThomas do you know what is the format of the hibernation file? – coder – 2013-10-17T04:44:41.153
@OliverSalzburg I want to know some data structure to read the file? – coder – 2013-10-17T04:45:07.687
You can find out about the data structure in the accepted answer in the link @OliverSalzburg already provided. You could also look here and look in the PDF from the Sandman project. It gives you exactly what you asked for.
– Rik – 2013-10-19T11:36:13.420Why do you want to do that? What for? Hacking? – Werner Henze – 2013-10-23T14:42:29.400
1@WernerHenze for my assignment – coder – 2013-10-27T03:26:43.327