Sandman – Read the Windows Hibernation File


This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Posted in: Hacking Tools, Windows Hacking

,


Latest Posts:


RandIP - Network Mapper To Find Servers RandIP – Network Mapper To Find Servers
RandIP is a nim-based network mapper application that generates random IP addresses and uses sockets to test whether the connection is valid or not with additional tests for Telnet and SSH.
Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.


4 Responses to Sandman – Read the Windows Hibernation File

  1. zupakomputer May 6, 2008 at 6:09 pm #

    *collects acorns and burrows underground for winter*

    That sounds like the Save State option in Virtual PC; though I’ve never looked in its files to see what form it stores the saved state in.

    I’ve seen Hibernate on some machines as a shutdown option for a while – I had thought it was actually some power-saving / power-down feature.

  2. Jinesh Doshi May 21, 2008 at 11:31 am #

    No antivirus can help?

  3. Bogwitch May 21, 2008 at 3:26 pm #

    Jinesh,

    As this is an offline, forensic discovery, no, AV will not help. It is possible that some AV vendors will start detecting the library as malware but it’s not something that will ‘infect’ your machine unless it’s functionality can be leveraged by an attacker in which case at attacker may include it as part of an upload.

  4. Joe Gorenzi August 1, 2008 at 11:22 pm #

    Any documentation of the functions in this code? The comments are…well…pretty much non-existant and while I get some of what is going on, sure would be nice if there was a flowchart or something that explained the general procedure you are trying to follow with like getting the physical addresses and such.

    OH, and of course it doesn’t work for me which is why I need to go through the source in the first place. I am kind of bummed. I really just wanted a quick utility that could dump the memory contents so i could compare with what I am getting in my hiber stack hook driver.

    The sandman.lib is built with a compiler that is older than what I am using and VS 2005 complains. Would have been nice if you had included a project for the lib. I spent more time than I liked creating a new lib and such just to find out this all doesn’t work.

    It’s free which is nice but not so much if it doesn’t work. I think I may be better off writing my own. Kinda frustrating…I have yet to find ANY free software that works except Mozilla sometimes. Don’t know what all the fuss is about with this free stuff.

    But, at least you have laid the groundwork for what could be working code. Kudos on that.