SlideShare ist ein Scribd-Unternehmen logo

From hybernation file to malware analysis with volatility

Christiaan Beek
Christiaan Beek

Howto on creating a memdump file from a hybernationfile, followed by

Technologie
1 von 2
Downloaden Sie, um offline zu lesen
From Hybernation file to Malware analysis with Volatility Intro In many malware related cases, the systems are still up and running and perfect for creating a memory dump before starting any investigation regarding the other volatile data and interesting files. In some cases the customer already took the machines from the network and shut them down. From an investigator’s perspective, valuable volatile data could be lost caused by this shutdown. A great way to reconstruct the memory for investigation is to extract the hibernation file from the Windows system and reconstruct it to a memory-dump file format. The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the operating system for restoring usage during the next time the system is booted. Extract the hiberfil.sys file How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the software, you have to browse to the root dir of the system. Figure 1 selecting the hiberfil.sys file While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’, followed by the location you want to dump this file. Convert the hiberfile.sys to a memory-dump file We know have the file exported, but we need to convert it to a readable format for memory analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
This project was started to better investigate the hiberfil.sys file and what data could be extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a memory-dump format. This script and more was later adopted into Moonsols memory dump/converting toolkit. Moonsol is offering a community and enterprise edition of this toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility. The usage of the tool is pretty straight forward: Hibr2bin.exe <input file> <output file>: After this has been completed we have a file that can be imported to Volatility. Volatility When using Volatility, I prefer to use a ‘forensic order’ of using the plugins: Identify Image: plugin: imageinfo Identify suspicious processes: plugin: pslist & psscan Identify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2 Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan These plugins are followed by the plugin ‘malfind’ and others related to the case.

Empfohlen

In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
Maxim Suhanov
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration tools
Duggesh Talawar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Recover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerRecover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows Computer
Arthur King
 

Empfohlen

In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
Maxim Suhanov
 
Windows forensic
Windows forensicWindows forensic
Windows forensic
MD SAQUIB KHAN
 
Computer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows RegistryComputer Forensics &amp; Windows Registry
Computer Forensics &amp; Windows Registry
somutripathi
 
10 resource kit remote administration tools
10 resource kit remote administration tools10 resource kit remote administration tools
10 resource kit remote administration tools
Duggesh Talawar
 
MindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat SheetMindMap - Forensics Windows Registry Cheat Sheet
MindMap - Forensics Windows Registry Cheat Sheet
Juan F. Padilla
 
Registry Forensics
Registry ForensicsRegistry Forensics
Registry Forensics
Somesh Sawhney
 
Linux forensics
Linux forensicsLinux forensics
Linux forensics
Santosh Khadsare
 
Recover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows ComputerRecover shift+delete word file on Windows Computer
Recover shift+delete word file on Windows Computer
Arthur King
 
fast_bitcoin_data_mining
fast_bitcoin_data_miningfast_bitcoin_data_mining
fast_bitcoin_data_mining
Jason Papapanagiotakis
 
Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White Paper
AVG Technologies
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report
Aziz Sasmaz
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on Eduonix
Paddy Lock
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to
Akshay koshti
 
Windows advanced
Windows advancedWindows advanced
Windows advanced
yarden hanan
 
Wait events
Wait eventsWait events
Wait events
Anu Rana
 
File windows local
File windows localFile windows local
File windows local
yarden hanan
 
Unix Administration
Unix AdministrationUnix Administration
Unix Administration
Nishant Munjal
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPC
gueste041bc
 
Oracle11g notes
Oracle11g notesOracle11g notes
Oracle11g notes
Manish Mudhliyar
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
Kapil Soni
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
AbundioTeca
 
Deft v7
Deft v7Deft v7
Deft v7
TGodfrey
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
Youness Zougar
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
Cysinfo Cyber Security Community
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
YashPatel132112
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
DINESH KAMBLE
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
KunalKewat1
 

Weitere ähnliche Inhalte

Was ist angesagt?

Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPC
gueste041bc
 

Was ist angesagt? (11)

fast_bitcoin_data_mining
fast_bitcoin_data_miningfast_bitcoin_data_mining
fast_bitcoin_data_mining
 
Avg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White PaperAvg Technologies Vawtrak Banking Trojan White Paper
Avg Technologies Vawtrak Banking Trojan White Paper
 
Evernote Touch App Artifact Report
Evernote Touch App Artifact Report Evernote Touch App Artifact Report
Evernote Touch App Artifact Report
 
Linux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on EduonixLinux Administrator - The Linux Course on Eduonix
Linux Administrator - The Linux Course on Eduonix
 
Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to Sysinternals utilities : a brief introduction to
Sysinternals utilities : a brief introduction to
 
Windows advanced
Windows advancedWindows advanced
Windows advanced
 
Wait events
Wait eventsWait events
Wait events
 
File windows local
File windows localFile windows local
File windows local
 
Unix Administration
Unix AdministrationUnix Administration
Unix Administration
 
Hacking Windows IPC
Hacking Windows IPCHacking Windows IPC
Hacking Windows IPC
 
Oracle11g notes
Oracle11g notesOracle11g notes
Oracle11g notes
 

Ähnlich wie From hybernation file to malware analysis with volatility

Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
CTIN
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
evonnehoggarth79783
 
Kinect installation guide
Kinect installation guideKinect installation guide
Kinect installation guide
gilmsdn
 
Batch File Virus Project Technical Paper
Batch File Virus Project Technical PaperBatch File Virus Project Technical Paper
Batch File Virus Project Technical Paper
Stephen Whisman
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 

Ähnlich wie From hybernation file to malware analysis with volatility (20)

Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Windows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility FrameworkWindows Registry Forensics with Volatility Framework
Windows Registry Forensics with Volatility Framework
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Deft v7
Deft v7Deft v7
Deft v7
 
Ransomware for fun and non-profit
Ransomware for fun and non-profitRansomware for fun and non-profit
Ransomware for fun and non-profit
 
Msra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troylaMsra 2011 windows7 forensics-troyla
Msra 2011 windows7 forensics-troyla
 
Advanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensicsAdvanced malware analysis training session 7 malware memory forensics
Advanced malware analysis training session 7 malware memory forensics
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Linux Operating System
Linux Operating SystemLinux Operating System
Linux Operating System
 
Encrypt and decrypt in solaris system
Encrypt and decrypt in solaris systemEncrypt and decrypt in solaris system
Encrypt and decrypt in solaris system
 
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
841- Advanced Computer ForensicsUnix Forensics LabDue Date.docx
 
Booklet
BookletBooklet
Booklet
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Kinect installation guide
Kinect installation guideKinect installation guide
Kinect installation guide
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
Batch File Virus Project Technical Paper
Batch File Virus Project Technical PaperBatch File Virus Project Technical Paper
Batch File Virus Project Technical Paper
 
O p
O pO p
O p
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 

Mehr von Christiaan Beek

Mehr von Christiaan Beek (7)

We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-too
 
3871778
38717783871778
3871778
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Taming worms, rats, dragons & more
Taming worms, rats, dragons & moreTaming worms, rats, dragons & more
Taming worms, rats, dragons & more
 

Kürzlich hochgeladen

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Kürzlich hochgeladen (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 

From hybernation file to malware analysis with volatility

  • 1. From Hybernation file to Malware analysis with Volatility Intro In many malware related cases, the systems are still up and running and perfect for creating a memory dump before starting any investigation regarding the other volatile data and interesting files. In some cases the customer already took the machines from the network and shut them down. From an investigator’s perspective, valuable volatile data could be lost caused by this shutdown. A great way to reconstruct the memory for investigation is to extract the hibernation file from the Windows system and reconstruct it to a memory-dump file format. The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the operating system for restoring usage during the next time the system is booted. Extract the hiberfil.sys file How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the software, you have to browse to the root dir of the system. Figure 1 selecting the hiberfil.sys file While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’, followed by the location you want to dump this file. Convert the hiberfile.sys to a memory-dump file We know have the file exported, but we need to convert it to a readable format for memory analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
  • 2. This project was started to better investigate the hiberfil.sys file and what data could be extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a memory-dump format. This script and more was later adopted into Moonsols memory dump/converting toolkit. Moonsol is offering a community and enterprise edition of this toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility. The usage of the tool is pretty straight forward: Hibr2bin.exe <input file> <output file>: After this has been completed we have a file that can be imported to Volatility. Volatility When using Volatility, I prefer to use a ‘forensic order’ of using the plugins: Identify Image: plugin: imageinfo Identify suspicious processes: plugin: pslist & psscan Identify active/closed/hidden cons plugin: connections & connscan2, socks & sockscan2 Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan These plugins are followed by the plugin ‘malfind’ and others related to the case.