How to read Windows hibernation file (hiberfil.sys) to extract data?
You can find a lot of information about the Hiberfil.sys
on the ForensicWiki page.
Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows hibernation file.
The pdf of project Sandman is found here.
The creators of the Sandman project also created a tool to dump the memory and Hiberfil.sys
-file (and extract it from the XPress compression-format). MoonSols Windows Memory Toolkit
Some of the other links on the ForensicWiki-page don't work anymore but here is one i found: (If you want to dive straight in the format-structure you can use this resource. For the header, the first 8192 bytes of the file, you don't need to uncompress them)
Hibernation File Format.pdf
This last PDF and the last link on the ForensicWiki-page should give you enough information about the structure of the Hiberfil.sys
.
Hibernation files consist of a standard header (PO_MEMORY_IMAGE), a set of kernel contexts and registers such as CR3 (_KPROCESSOR_STATE) and several arrays of compressed/encoded Xpress data blocks (_IMAGE_XPRESS_HEADER and _PO_MEMORY_RANGE_ARRAY).
The standard header exists at offset 0 of the file and is shown below. Generally, the Signature member must be either "hibr" or "wake" to be considered valid, however in rare cases the entire PO_MEMORY_IMAGE header has been zeroed out, which can prevent analysis of the hibernation file in most tools. In those cases, volatility will use a brute force algorithm to locate the data it needs.
The references in those documents should give you plenty of other sources to explore, too.
I would highly recommend you to take a look at this answer from security.stackexchange.com. It shows a great way, how to extract the data and also information about the algorithm itself.
I've highlighted the important parts.
Yes, it does store it unencrypted on the disk. It's a hidden file at
C:\hiberfil.sys
, which will always be created on any system that has hibernation enabled. The contents are compressed using the Xpress algorithm, the documentation of which is available as a Word document from Microsoft. Matthieu Suiche did a comprehensive analysis of it as a BlackHat presentation in 2008, which you can get as a PDF. There's also a tool called MoonSols Windows Memory Toolkit that allows you to dump the contents of the file. I don't know if it lets you convert back, though. You might have to work on a way to do it yourself.Once you've got the data out, it's possible to extract or modify data, including instructions. In terms of mitigation, your best solution is to use full-disk encryption like BitLocker or TrueCrypt.
Source
Convert the hiberfil.sys file to a raw image using http://code.google.com/p/volatility/downloads/list. The latest version as of now is 2.3.1. Specifically, you can use the following command line to first create the raw image: -f imagecopy -O hiberfil_sys.raw. This will create a raw image for you to then run volatility against which will help you extract information such as process, connections, sockets, and registry hives (just to name a few). A full list of the plugins can be found here: https://code.google.com/p/volatility/wiki/Plugins. Of course, mandiant redline is another tool that does provide that functionality. Hope this helped.