Sandman – Read the Windows Hibernation File

Use Netsparker


This is a pretty new tool and a very cool one, Hibernation is a fairly new feature for Windows so it’s good to see a new tool targeting that.

Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine.

One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.

The hibernation file opens two valuable doors:

The first one is forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? This is why SandMan was born.

The second one is a new concept we will be introducing and called “offensics” which is a portmanteau from “offensive” and “forensics”. If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.

Sandman is a C Library that aims to read the hibernation file, regardless of Windows version. Thus, it makes possible to do forensics live analysis on the dumped file.

For a good explanation and technical info I suggest you read the whitepaper:

SandMan Project, Whitepaper [PDF]

You can download Sandman here:

SandMan-1.0.080226.zip

Or read more here.

Posted in: Hacking Tools, Windows Hacking

,


Latest Posts:


DeepSound - Audio Steganography Tool DeepSound – Audio Steganography Tool
DeepSound is an audio steganography tool and audio converter that hides secret data into audio files, the application also enables you to extract from files.
2019 High Severity Vulnerabilities What are the MOST Critical Web Vulnerabilities in 2019?
So what is wild on the web this year? Need to know about the most critical web vulnerabilities in 2019 to protect your organization?
GoBuster - Directory/File & DNS Busting Tool in Go GoBuster – Directory/File & DNS Busting Tool in Go
GoBuster is a tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (inc. wildcards) - a directory/file & DNS busting tool.
BDFProxy - Patch Binaries via MITM - BackdoorFactory + mitmProxy BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy
BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads
Domained - Multi Tool Subdomain Enumeration Domained – Multi Tool Subdomain Enumeration
Domained is a multi tool subdomain enumeration tool that uses several subdomain enumeration tools and wordlists to create a unique list of subdomains.
Acunetix Vulnerability Scanner For Linux Now Available Acunetix Vulnerability Scanner For Linux Now Available
Acunetix Vulnerability Scanner For Linux is now available, now you get all of the functionality of Acunetix, with all of the dependability of Linux.


4 Responses to Sandman – Read the Windows Hibernation File

  1. zupakomputer May 6, 2008 at 6:09 pm #

    *collects acorns and burrows underground for winter*

    That sounds like the Save State option in Virtual PC; though I’ve never looked in its files to see what form it stores the saved state in.

    I’ve seen Hibernate on some machines as a shutdown option for a while – I had thought it was actually some power-saving / power-down feature.

  2. Jinesh Doshi May 21, 2008 at 11:31 am #

    No antivirus can help?

  3. Bogwitch May 21, 2008 at 3:26 pm #

    Jinesh,

    As this is an offline, forensic discovery, no, AV will not help. It is possible that some AV vendors will start detecting the library as malware but it’s not something that will ‘infect’ your machine unless it’s functionality can be leveraged by an attacker in which case at attacker may include it as part of an upload.

  4. Joe Gorenzi August 1, 2008 at 11:22 pm #

    Any documentation of the functions in this code? The comments are…well…pretty much non-existant and while I get some of what is going on, sure would be nice if there was a flowchart or something that explained the general procedure you are trying to follow with like getting the physical addresses and such.

    OH, and of course it doesn’t work for me which is why I need to go through the source in the first place. I am kind of bummed. I really just wanted a quick utility that could dump the memory contents so i could compare with what I am getting in my hiber stack hook driver.

    The sandman.lib is built with a compiler that is older than what I am using and VS 2005 complains. Would have been nice if you had included a project for the lib. I spent more time than I liked creating a new lib and such just to find out this all doesn’t work.

    It’s free which is nice but not so much if it doesn’t work. I think I may be better off writing my own. Kinda frustrating…I have yet to find ANY free software that works except Mozilla sometimes. Don’t know what all the fuss is about with this free stuff.

    But, at least you have laid the groundwork for what could be working code. Kudos on that.