Saturday, December 06, 2008

Windows Hibernation files

Matthieu has made his Exploiting Windows Hibernation File presentation available...for anyone interested at all in Windows memory analysis, his presentation is well worth a look. Matthieu is the first person that I'm aware of to come up with a means of exploiting or taking advantage of the hibernation file as a viable source of data, and is a contributor to the Volatility framework. Other presentations and demos can be found here.

5 comments:

echo6 said...

It's a cool tool :-) Glad Matthieu decided to release it.

I found it interesting that his "warm boot" attack was similar to what Adam Boileau used with his winlockpwn pythonraw tool.

Jimmy_Weg said...

I can see situations in which trained first responders could hibernate a machine to preserve memory. It's a little less complicated than acquiring RAM in the field :-). There probably a few pros & cons to this, but the concept seems worthy of discussion.

Keydet89 said...

Jimmy,

Is that really such a good idea? If hibernation mode is enabled, would you want to overwrite the current hibernation file; if not, would you want a responder modifying the settings?

Jimmy_Weg said...

I figured that the current file would be overwritten. I guess it would be speculation to decide whether a newer dump would be better. I wouldn't want any settings edited to enable hibernation, at least not by a first responder who's not on the phone with an examiner. If the situation arose and was justified, the user could perhaps run the command and see what happened before pulling the plug. I do agree, however, that the concept isn't the best way to go, at least in the typical scenario.

Keydet89 said...

I'd prefer to acquire a current dump, and then use the current hibernation file, if there is one, to get a historical view on the system. I currently do that with the Dr Watson log file...