From hybernation file to malware analysis with volatility
From Hybernation file to Malware analysis with VolatilityIntroIn many malware related cases, the systems are still up and running and perfect for creating amemory dump before starting any investigation regarding the other volatile data andinteresting files. In some cases the customer already took the machines from the network andshut them down. From an investigator’s perspective, valuable volatile data could be lost causedby this shutdown. A great way to reconstruct the memory for investigation is to extract thehibernation file from the Windows system and reconstruct it to a memory-dump file format.The hibernation file (hyberfil.sys) contains all the physical memory that was saved by theoperating system for restoring usage during the next time the system is booted.Extract the hiberfil.sys fileHow do we start? First of all a forensic sound duplicate of the hard-drive is made by using awrite-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to theinvestigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file fromthe disk-image. In this case we use the free-tool FTK Imager. After adding the disk to thesoftware, you have to browse to the root dir of the system.Figure 1 selecting the hiberfil.sys fileWhile selecting the file, execute a right-mouseclick and choose the option ‘Export Files’,followed by the location you want to dump this file.Convert the hiberfile.sys to a memory-dump fileWe know have the file exported, but we need to convert it to a readable format for memoryanalysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
This project was started to better investigate the hiberfil.sys file and what data could beextracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into amemory-dump format. This script and more was later adopted into Moonsols memorydump/converting toolkit. Moonsol is offering a community and enterprise edition of thistoolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernationfiles of XP/2003/2008 & Vista. After downloading the tool we are going to convert ourextracted hiberfil.sys file towards a bin file that can be used for analysis with volatility.The usage of the tool is pretty straight forward:Hibr2bin.exe <input file> <output file>:After this has been completed we have a file that can be imported to Volatility.VolatilityWhen using Volatility, I prefer to use a ‘forensic order’ of using the plugins:Identify Image: plugin: imageinfoIdentify suspicious processes: plugin: pslist & psscanIdentify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscanThese plugins are followed by the plugin ‘malfind’ and others related to the case.