This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.
Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.
One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.
The hibernation file opens two valuable doors:
The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.
The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.
Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.
For a good explanation and technical info I suggest you read the whitepaper:
SandMan Project, Whitepaper [PDF]
You can download Sandman here:
Or read more here.
*collects acorns and burrows underground for winter*
That sounds like the Save State option in Virtual PC; though I’ve never looked in its files to see what form it stores the saved state in.
I’ve seen Hibernate on some machines as a shutdown option for a while – I had thought it was actually some power-saving / power-down feature.
No antivirus can help?
Jinesh,
As this is an offline, forensic discovery, no, AV will not help. It is possible that some AV vendors will start detecting the library as malware but it’s not something that will ‘infect’ your machine unless it’s functionality can be leveraged by an attacker in which case at attacker may include it as part of an upload.
Any documentation of the functions in this code? The comments are…well…pretty much non-existant and while I get some of what is going on, sure would be nice if there was a flowchart or something that explained the general procedure you are trying to follow with like getting the physical addresses and such.
OH, and of course it doesn’t work for me which is why I need to go through the source in the first place. I am kind of bummed. I really just wanted a quick utility that could dump the memory contents so i could compare with what I am getting in my hiber stack hook driver.
The sandman.lib is built with a compiler that is older than what I am using and VS 2005 complains. Would have been nice if you had included a project for the lib. I spent more time than I liked creating a new lib and such just to find out this all doesn’t work.
It’s free which is nice but not so much if it doesn’t work. I think I may be better off writing my own. Kinda frustrating…I have yet to find ANY free software that works except Mozilla sometimes. Don’t know what all the fuss is about with this free stuff.
But, at least you have laid the groundwork for what could be working code. Kudos on that.