How to read Windows Hibernation file (hiberfil.sys) to extract forensic data?
The hibernation file (hiberfil.sys) is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process.
The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running, that needs to be extracted from a disk dump or using specific tools like FTKImager.
Although often presumed, the size of the hiberfil.sys is not one-to-one in size to the available, or total RAM of the machine.
Actually hibernation files consist of a standard header (PO_MEMORY_IMAGE), a set of kernel contexts and registers such as CR3 (_KPROCESSOR_STATE) and several arrays of compressed/encoded Xpress data blocks (_IMAGE_XPRESS_HEADER and _PO_MEMORY_RANGE_ARRAY).
The standard header exists at offset 0 of the file, the Signature member must be either "hibr" or "wake" to be considered valid, however in rare cases the entire PO_MEMORY_IMAGE header has been zeroed out, which can prevent analysis of the hibernation file in most tools.
In those cases, volatility will use a brute force algorithm to locate the data it needs.
The Xpress compression algorithm
Xpress algorithm has been implemented by Microsoft Exchange Team and is used for LDAP protocol, in Microsoft Embedded O.S. Windows CE and in Windows IMaging format (WIM).
According to Microsoft Exchange documentation, Xpress algorithm is:
- LZ77 + DIRECT2
- LZ77 for compression and DIRECT2 encode bytespositions in meta-data
Xpress has been publicly documented since Microsoft Interoperability initiative.
How to convert hiberfill.sys in a raw memory image for Volatility analysis?
Pretty simple, using the imagecopy Volatility plugin:
$ vol.py imagecopy -f hiberfil.sys -O hiber.img –-profile=Win7SP1x64
$ vol.py imagecopy -f hiberfil.sys -O hiber.img –-profile=Win7SP1x64 Volatility Foundation Volatility Framework 2.6 Writing data (5.00 MB chunks): |…………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….|
Now the hiber.img file can be analyzed with the usual methodology.