I need to find what all data is stored in the hibernation file by parsing it. However, till now, I have only managed to do so manually by opening it in a Hex editor and then searching for texts in it. I found about SandMan Library but there are not any resources present. Any idea how to read the file? Or is there any tool/library or other method to do so?
Answer
You can find a lot of information about the Hiberfil.sys on the ForensicWiki page.
Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows hibernation file.
The pdf of project Sandman is found here.
The creators of the Sandman project also created a tool to dump the memory and Hiberfil.sys-file (and extract it from the XPress compression-format). MoonSols Windows Memory Toolkit
Some of the other links on the ForensicWiki-page don't work anymore but here is one i found: (If you want to dive straight in the format-structure you can use this resource. For the header, the first 8192 bytes of the file, you don't need to uncompress them)
This last PDF and the last link on the ForensicWiki-page should give you enough information about the structure of the Hiberfil.sys.
Hibernation files consist of a standard header (PO_MEMORY_IMAGE), a set of kernel contexts and registers such as CR3 (_KPROCESSOR_STATE) and several arrays of compressed/encoded Xpress data blocks (_IMAGE_XPRESS_HEADER and _PO_MEMORY_RANGE_ARRAY).
The standard header exists at offset 0 of the file and is shown below. Generally, the Signature member must be either "hibr" or "wake" to be considered valid, however in rare cases the entire PO_MEMORY_IMAGE header has been zeroed out, which can prevent analysis of the hibernation file in most tools. In those cases, volatility will use a brute force algorithm to locate the data it needs.
The references in those documents should give you plenty of other sources to explore too.
No comments:
Post a Comment