The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics", as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
Pages
▼
Saturday, December 06, 2008
Windows Hibernation files
Matthieu has made his Exploiting Windows Hibernation File presentation available...for anyone interested at all in Windows memory analysis, his presentation is well worth a look. Matthieu is the first person that I'm aware of to come up with a means of exploiting or taking advantage of the hibernation file as a viable source of data, and is a contributor to the Volatility framework. Other presentations and demos can be found here.
It's a cool tool :-) Glad Matthieu decided to release it.
ReplyDeleteI found it interesting that his "warm boot" attack was similar to what Adam Boileau used with his winlockpwn pythonraw tool.
I can see situations in which trained first responders could hibernate a machine to preserve memory. It's a little less complicated than acquiring RAM in the field :-). There probably a few pros & cons to this, but the concept seems worthy of discussion.
ReplyDeleteJimmy,
ReplyDeleteIs that really such a good idea? If hibernation mode is enabled, would you want to overwrite the current hibernation file; if not, would you want a responder modifying the settings?
I figured that the current file would be overwritten. I guess it would be speculation to decide whether a newer dump would be better. I wouldn't want any settings edited to enable hibernation, at least not by a first responder who's not on the phone with an examiner. If the situation arose and was justified, the user could perhaps run the command and see what happened before pulling the plug. I do agree, however, that the concept isn't the best way to go, at least in the typical scenario.
ReplyDeleteI'd prefer to acquire a current dump, and then use the current hibernation file, if there is one, to get a historical view on the system. I currently do that with the Dr Watson log file...
ReplyDelete