Thursday, January 31, 2008

Enter Sandman

You're probably wondering, "Since when did Metallica have anything to do with Windows forensics?"

My answer to that is...since ALWAYS!

Okay...enough of that. The Sandman I'm referring to isn't the one from the Metallica song. Rather this one has to do with the Windows hibernation file (get it? "sleep". "Sandman". get it? no...you don't...). Evidently Nicholas and Mattheiu has been working on a C library for reading/writing the Windows hibernation file. This sounds really cool, and it looks as if they're going to include Python bindings, as well as a couple of sample apps, one of which will reportedly convert a hibernation file into a dd-style memory dump. Very cool. Keep in mind, however, that a hibernation file doesn't contain the current contents of memory, but rather the contents of memory from when the file was created.

Sandman looks like a good tool to have in your kit, and I can't wait to try it out.

2 comments:

Tim said...

H,

Have you ever used Sandman? I've emailed the authors for some instructions but no luck. Please let me know!

Tim

H. Carvey said...

Tim,

How would I let you know? You didn't leave any contact information, and your "Sausage" link doesn't lead to anything...