Sandman – Read the Windows Hibernation File

Use Netsparker


This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Posted in: Hacking Tools, Windows Hacking

,


Latest Posts:


snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.


4 Responses to Sandman – Read the Windows Hibernation File

  1. zupakomputer May 6, 2008 at 6:09 pm #

    *collects acorns and burrows underground for winter*

    That sounds like the Save State option in Virtual PC; though I’ve never looked in its files to see what form it stores the saved state in.

    I’ve seen Hibernate on some machines as a shutdown option for a while – I had thought it was actually some power-saving / power-down feature.

  2. Jinesh Doshi May 21, 2008 at 11:31 am #

    No antivirus can help?

  3. Bogwitch May 21, 2008 at 3:26 pm #

    Jinesh,

    As this is an offline, forensic discovery, no, AV will not help. It is possible that some AV vendors will start detecting the library as malware but it’s not something that will ‘infect’ your machine unless it’s functionality can be leveraged by an attacker in which case at attacker may include it as part of an upload.

  4. Joe Gorenzi August 1, 2008 at 11:22 pm #

    Any documentation of the functions in this code? The comments are…well…pretty much non-existant and while I get some of what is going on, sure would be nice if there was a flowchart or something that explained the general procedure you are trying to follow with like getting the physical addresses and such.

    OH, and of course it doesn’t work for me which is why I need to go through the source in the first place. I am kind of bummed. I really just wanted a quick utility that could dump the memory contents so i could compare with what I am getting in my hiber stack hook driver.

    The sandman.lib is built with a compiler that is older than what I am using and VS 2005 complains. Would have been nice if you had included a project for the lib. I spent more time than I liked creating a new lib and such just to find out this all doesn’t work.

    It’s free which is nice but not so much if it doesn’t work. I think I may be better off writing my own. Kinda frustrating…I have yet to find ANY free software that works except Mozilla sometimes. Don’t know what all the fuss is about with this free stuff.

    But, at least you have laid the groundwork for what could be working code. Kudos on that.