Sandman – Read the Windows Hibernation File

The New Acunetix V12 Engine


This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Posted in: Hacking Tools, Windows Hacking

,


Latest Posts:


Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.
testssl.sh - Test SSL Security Including Ciphers, Protocols & Detect Flaws testssl.sh – Test SSL Security Including Ciphers, Protocols & Detect Flaws
testssl.sh is a free command line tool to test SSL security, it checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as recent cryptographic flaws and more.


4 Responses to Sandman – Read the Windows Hibernation File

  1. zupakomputer May 6, 2008 at 6:09 pm #

    *collects acorns and burrows underground for winter*

    That sounds like the Save State option in Virtual PC; though I’ve never looked in its files to see what form it stores the saved state in.

    I’ve seen Hibernate on some machines as a shutdown option for a while – I had thought it was actually some power-saving / power-down feature.

  2. Jinesh Doshi May 21, 2008 at 11:31 am #

    No antivirus can help?

  3. Bogwitch May 21, 2008 at 3:26 pm #

    Jinesh,

    As this is an offline, forensic discovery, no, AV will not help. It is possible that some AV vendors will start detecting the library as malware but it’s not something that will ‘infect’ your machine unless it’s functionality can be leveraged by an attacker in which case at attacker may include it as part of an upload.

  4. Joe Gorenzi August 1, 2008 at 11:22 pm #

    Any documentation of the functions in this code? The comments are…well…pretty much non-existant and while I get some of what is going on, sure would be nice if there was a flowchart or something that explained the general procedure you are trying to follow with like getting the physical addresses and such.

    OH, and of course it doesn’t work for me which is why I need to go through the source in the first place. I am kind of bummed. I really just wanted a quick utility that could dump the memory contents so i could compare with what I am getting in my hiber stack hook driver.

    The sandman.lib is built with a compiler that is older than what I am using and VS 2005 complains. Would have been nice if you had included a project for the lib. I spent more time than I liked creating a new lib and such just to find out this all doesn’t work.

    It’s free which is nice but not so much if it doesn’t work. I think I may be better off writing my own. Kinda frustrating…I have yet to find ANY free software that works except Mozilla sometimes. Don’t know what all the fuss is about with this free stuff.

    But, at least you have laid the groundwork for what could be working code. Kudos on that.