How to read Windows Hibernation file (hiberfil.sys) to extract data?
I need to find what all data is stored in the hibernation file by parsing it. However, till now, I have only managed to do so manually by opening it in a Hex editor and then searching for texts in it. I found about SandMan Library but there are not any resources present. Any idea how to read the file? Or is there any tool/library or other method to do so?
You can find a lot of information about the
Hiberfil.sys on the ForensicWiki page.
Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows hibernation file.
The pdf of project Sandman is found here.
The creators of the Sandman project also created a tool to dump the memory and
Hiberfil.sys-file (and extract it from the XPress compression-format). MoonSols Windows Memory Toolkit
Some of the other links on the ForensicWiki-page don’t work anymore but here is one i found: (If you want to dive straight in the format-structure you can use this resource. For the header, the first 8192 bytes of the file, you don’t need to uncompress them)
This last PDF and the last link on the ForensicWiki-page should give you enough information about the structure of the
Hibernation files consist of a standard header (PO_MEMORY_IMAGE), a set of kernel contexts and registers such as CR3 (_KPROCESSOR_STATE) and several arrays of compressed/encoded Xpress data blocks (_IMAGE_XPRESS_HEADER and _PO_MEMORY_RANGE_ARRAY).
The standard header exists at offset 0 of the file and is shown below. Generally, the Signature member must be either “hibr” or “wake” to be considered valid, however in rare cases the entire PO_MEMORY_IMAGE header has been zeroed out, which can prevent analysis of the hibernation file in most tools. In those cases, volatility will use a brute force algorithm to locate the data it needs.
The references in those documents should give you plenty of other sources to explore too.
I would highly recommend you to take a look at this answer from security.stackexchange.com. It shows a great way, how to extract the data and also information about the algorithm itself.
I’ve highlighted the important parts.
Yes, it does store it unencrypted on the disk. It’s a hidden file at
C:\hiberfil.sys, which will always be created on any system that has
hibernation enabled. The contents are compressed using the Xpress
algorithm, the documentation of which is available as a Word document
from Microsoft. Matthieu Suiche did a comprehensive analysis of it
as a BlackHat presentation in 2008, which you can get as a PDF.
There’s also a tool called MoonSols Windows Memory Toolkit that
allows you to dump the contents of the file. I don’t know if it lets
you convert back, though. You might have to work on a way to do it
Once you’ve got the data out, it’s possible to extract or modify data,
including instructions. In terms of mitigation, your best solution is
to use full-disk encryption like BitLocker or TrueCrypt.
Convert the hiberfil.sys file to a raw image using http://code.google.com/p/volatility/downloads/list. The latest version as of now is 2.3.1. Specifically, you can use the following command line to first create the raw image: -f imagecopy -O hiberfil_sys.raw. This will create a raw image for you to then run volatility against which will help you extract information such as process, connections, sockets, and registry hives (just to name a few). A full list of the plugins can be found here: https://code.google.com/p/volatility/wiki/Plugins. Of course, mandiant redline is another tool that does provide that functionality. Hope this helped.
Our Awesome Tools
- Check your IP Address precisely
- Online JSON Formatter with Syntax Highlight
- Online CSS Minifier Compressor