8
5
I need to find what all data is stored in the hibernation file by parsing it. However, till now, I have only managed to do so manually by opening it in a Hex editor and then searching for texts in it. I found about SandMan Library but there are not any resources present. Any idea how to read the file? Or is there any tool/library or other method to do so?
coder
Posted 2013-10-16T12:08:07.193
Reputation: 711
7
You can find a lot of information about the Hiberfil.sys on the ForensicWiki page.
Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows hibernation file.
The pdf of project Sandman is found here.
The creators of the Sandman project also created a tool to dump the memory and Hiberfil.sys-file (and extract it from the XPress compression-format). MoonSols Windows Memory Toolkit
Some of the other links on the ForensicWiki-page don't work anymore but here is one i found: (If you want to dive straight in the format-structure you can use this resource. For the header, the first 8192 bytes of the file, you don't need to uncompress them)
This last PDF and the last link on the ForensicWiki-page should give you enough information about the structure of the Hiberfil.sys.
Hibernation files consist of a standard header (PO_MEMORY_IMAGE), a set of kernel contexts and registers such as CR3 (_KPROCESSOR_STATE) and several arrays of compressed/encoded Xpress data blocks (_IMAGE_XPRESS_HEADER and _PO_MEMORY_RANGE_ARRAY).
The standard header exists at offset 0 of the file and is shown below. Generally, the Signature member must be either "hibr" or "wake" to be considered valid, however in rare cases the entire PO_MEMORY_IMAGE header has been zeroed out, which can prevent analysis of the hibernation file in most tools. In those cases, volatility will use a brute force algorithm to locate the data it needs.
The references in those documents should give you plenty of other sources to explore too.
Rik
Posted 2013-10-16T12:08:07.193
Reputation: 11 800
3
I would highly recommend you to take a look at this answer from security.stackexchange.com. It shows a great way, how to extract the data and also information about the algorithm itself.
I've highlighted the important parts.
Yes, it does store it unencrypted on the disk. It's a hidden file at
C:\hiberfil.sys, which will always be created on any system that has hibernation enabled. The contents are compressed using the Xpress algorithm, the documentation of which is available as a Word document from Microsoft. Matthieu Suiche did a comprehensive analysis of it as a BlackHat presentation in 2008, which you can get as a PDF. There's also a tool called MoonSols Windows Memory Toolkit that allows you to dump the contents of the file. I don't know if it lets you convert back, though. You might have to work on a way to do it yourself.Once you've got the data out, it's possible to extract or modify data, including instructions. In terms of mitigation, your best solution is to use full-disk encryption like BitLocker or TrueCrypt.
Christian
Posted 2013-10-16T12:08:07.193
Reputation: 6 571
3
Convert the hiberfil.sys file to a raw image using http://code.google.com/p/volatility/downloads/list. The latest version as of now is 2.3.1. Specifically, you can use the following command line to first create the raw image: -f imagecopy -O hiberfil_sys.raw. This will create a raw image for you to then run volatility against which will help you extract information such as process, connections, sockets, and registry hives (just to name a few). A full list of the plugins can be found here: https://code.google.com/p/volatility/wiki/Plugins. Of course, mandiant redline is another tool that does provide that functionality. Hope this helped.
labgeek
Posted 2013-10-16T12:08:07.193
Reputation: 102
3a hiberfil file is an image of the systems ram at the time it was hibernated. as such, yes, a Hex Editor is likely the best you will get. This task is essentially no different than trying to read the contents of your RAM. – Frank Thomas – 2013-10-16T12:15:43.527
6
Relevant: http://security.stackexchange.com/questions/23787/can-you-extract-memory-contents-from-a-hibernated-windows-machine
– Der Hochstapler – 2013-10-16T12:51:13.7931@FrankThomas do you know what is the format of the hibernation file? – coder – 2013-10-17T04:44:41.153
@OliverSalzburg I want to know some data structure to read the file? – coder – 2013-10-17T04:45:07.687
You can find out about the data structure in the accepted answer in the link @OliverSalzburg already provided. You could also look here and look in the PDF from the Sandman project. It gives you exactly what you asked for.
– Rik – 2013-10-19T11:36:13.420Why do you want to do that? What for? Hacking? – Werner Henze – 2013-10-23T14:42:29.400
1@WernerHenze for my assignment – coder – 2013-10-27T03:26:43.327