Difference between revisions of "Hiberfil.sys"

From ForensicsWiki
Jump to: navigation, search
m (Typo in the link to sandman)
(External Links)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the [[hibernation]] process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.
 
hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the [[hibernation]] process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.
  
Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]] and [[Nicolas Ruff]]. Currently, [http://sandman.msuiche.net/ Sandman] is the only tool that can read the Windows hibernation file.
+
Although most of the data structures required to parse the file format are available in the [[Microsoft Windows]] debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by [[Matthieu Suiche]]. He created with [[Nicolas Ruff]] a project called [http://sandman.msuiche.net/ Sandman] is the only open-source tool that can read and write the Windows hibernation file.
  
Later in 2007, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification.
+
In early 2008, as part of the [http://msdn.microsoft.com/en-us/library/cc197979.aspx Windows Server Protocol Program], Microsoft released documentation on the Xpress compression algorithm in the [http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-DRSR%5D.pdf Directory Replication Service (DRS) Remote Protocol] specification (section 4.1.10.6.15, "DecompressWin2k3"). However, the pseudocode given contains numerous errors, as documented by [[Matthieu Suiche]] in a [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/ blog entry].
 +
 
 +
== External Links ==
 +
* [http://sandman.msuiche.net/docs/SandMan_Project.pdf Sandman Project], by [[Matthieu Suiche]], February 2008
 +
* [http://msuiche.net/con/bhusa2008/Windows_hibernation_file_for_fun_%27n%27_profit-0.6.pdf Windows hibernation file for fun & profit], by [[Matthieu Suiche]]
 +
* [http://www.msuiche.net/pres/PacSec07-slides-0.4.pdf Enter SandMan], by [[Nicolas Ruff]], [[Matthieu Suiche]]
 +
* [http://web17.webbpro.de/downloads/Hibernation%20File%20Attack/Hibernation%20File%20Format.pdf Hibernation File Format], by [[Peter Kleissner]], 2009
 +
* [http://jessekornblum.livejournal.com/254105.html http://jessekornblum.livejournal.com/254105.html], by [[Jesse Kornblum]], August 18, 2009
 +
* [http://code.google.com/p/volatility/wiki/HiberAddressSpace Microsoft Hibernation Files], by [[Volatility|the Volatility project]]
 +
 
 +
=== LZ XPRESS ===
 +
* [http://msdn.microsoft.com/en-us/library/ee441458.aspx DIRECT2 Encoding Algorithm], by [[Microsoft]]
 +
* [http://www.msuiche.net/2008/04/06/few-words-about-microsoft-interoperability-initiative/ Few words about Microsofts interoperability initiative], by [[Matthieu Suiche]]
 +
* [http://www.msuiche.net/codes/xpress.c.txt C implementation of LZ XPRESS], by [[Matthieu Suiche]]

Latest revision as of 02:27, 6 December 2012

hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.

Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows hibernation file.

In early 2008, as part of the Windows Server Protocol Program, Microsoft released documentation on the Xpress compression algorithm in the Directory Replication Service (DRS) Remote Protocol specification (section 4.1.10.6.15, "DecompressWin2k3"). However, the pseudocode given contains numerous errors, as documented by Matthieu Suiche in a blog entry.

External Links

LZ XPRESS