An anonymous reader writes:
Matthieu Suiche writes:
For Windows 2000, Microsoft provides a feature called Hibernation also know as suspend to disk that aims to save the system state into an undocumented file called hiberfil.sys. This file contains all the physical memory saved by the Operating System and aims to be restored by the user the next time the computer is powered on. Live forensics analysis is used to use physical memory dump to recover information on the targeted machine. One of the main problems is to obtain a readable physical memory dump, hibernation is an efficient way to save and load physical memory. Hibernation analysis has notable advantages. System activity is totally frozen, therefore coherent data is acquired and no software tool is able to block the analysis. The system is left perfectly functional after analysis, with no side effects.
The hibernation file opens two valuable doors: The first one is (live?) forensics analysis for defensive computing. Hibernation is an efficient and easy way to get a physical memory dump. But the main issue about it was: How to read the hiberfil.sys? That's how the idea of SandMan born. The second one is a new concept we will be introduced and called "offensics" which is a portmanteau from "offensive" and "forensics". If we can read hiberfil.sys, can we rewrite it? The answer is: Yes, with SandMan you can.
SandMan is an open-source framework which makes readable and writable the undocumented windows hibernation file. The author said that 32bits hibernation file "from Windows XP to Windows 2008 Server" are supported yet. Then, it's now possible to retrieve keys/hash used by cryptographic softwares present in memory if they are present during the hibernation process. Furthermore, internal structures mapped in memory which contains information like "application privilege rights" can be modified too though the hibernation file.