Sandman ? Read The Windows Hibernation File
How to Use Sandman to Analyze the Windows Hibernation File
The Windows hibernation file (hiberfil.sys) is a file that stores the contents of the system memory when the computer enters hibernation mode. It can contain valuable information for forensic analysis, such as open files, network connections, encryption keys, passwords and more. However, reading the hibernation file is not a trivial task, as it is compressed and encoded with a proprietary algorithm that varies across different Windows versions.
Fortunately, there is a tool that can help you read and extract data from the hibernation file: Sandman. Sandman is a C library that aims to read the hibernation file, regardless of Windows version. It was created by Matthieu Suiche and Nicolas Ruff in 2007 as part of the Sandman project . Sandman can decompress and decode the hibernation file and provide access to its contents via an interactive shell. It can also write modified data back to the hibernation file, which can be useful for testing or exploitation purposes.
Sandman – Read the Windows Hibernation File
How to use Sandman
To use Sandman, you need to download the source code from GitHub and compile it with Visual Studio. You also need to specify the platform (X86 or X64), the major and minor version of Windows (e.g. 6 and 1 for Windows 7), and optionally the data offset in hexadecimal if it is not zero. For example, to compile Sandman for Windows 7 x64, you would use the following command:
HIBR2BIN /PLATFORM X64 /MAJOR 6 /MINOR 1 /INPUT hiberfil.sys /OUTPUT uncompressed.bin
This will create an executable file called HIBR2BIN.exe that can read and write the hibernation file. To run it, you need to provide the input hiberfil.sys file and the output uncompressed.bin file as arguments. The output file will contain the decompressed and decoded data from the hibernation file. You can then use Sandmans interactive shell to explore its contents. For example, you can use the info command to display some basic information about the hibernation file:
SandMan> info
Signature: wake
Version: 0x00000001
Checksum: 0x00000000
Length: 0x00000000
Page Size: 0x00001000
Image Type: 0x00000000
System Time: 0x01C9B4E8F8F5A9A0
Interrupt Time: 0x000000001C9B4E8F
Feature Flags: 0x00000000
Hiber Flags: 0x00000000
No Hiber Ptes: 0x00000000
Hiber Va: 0xFFFFF80002A1B000
No Free Pages: 0x00000000
Free Page List: 0x00000000
No Boot Loader Log Pages: 0x00000000
Boot Loader Log Pages: 0x00000000
Not Used: 0x00000000
Resume Context Check: 0x5A5A5A5A5A5A5A5A
Resume Context Length: 0x00000340
You can also use commands like dump, search, write and help to perform various operations on the hibernation file data. For more details on how to use Sandman, you can refer to its whitepaper or its GitHub page .
Conclusion
The Windows hibernation file is a rich source of information for forensic investigators, but it is also a challenging one to access and analyze. Sandman is a tool that can help you overcome this challenge by reading and writing the hibernation file regardless of Windows version. It can also provide you with an interactive shell to explore and manipulate its contents. Sandman is an open-source project that you can download from GitHub and compile with Visual Studio.
If you want to learn more about Sandman or other tools for memory forensics, you can visit Com c481cea774