Automating Google Workspace (GWS) & more with Apps Script
From hybernation file to malware analysis with volatility
1. From Hybernation file to Malware analysis with Volatility
Intro
In many malware related cases, the systems are still up and running and perfect for creating a
memory dump before starting any investigation regarding the other volatile data and
interesting files. In some cases the customer already took the machines from the network and
shut them down. From an investigator’s perspective, valuable volatile data could be lost caused
by this shutdown. A great way to reconstruct the memory for investigation is to extract the
hibernation file from the Windows system and reconstruct it to a memory-dump file format.
The hibernation file (hyberfil.sys) contains all the physical memory that was saved by the
operating system for restoring usage during the next time the system is booted.
Extract the hiberfil.sys file
How do we start? First of all a forensic sound duplicate of the hard-drive is made by using a
write-blocker. After the ‘mother’-copy has been duplicated; a ‘work-copy’ is mounted to the
investigator’s analysis station. With Encase or FTK Imager, it is possible to extract the file from
the disk-image. In this case we use the free-tool FTK Imager. After adding the disk to the
software, you have to browse to the root dir of the system.
Figure 1 selecting the hiberfil.sys file
While selecting the file, execute a right-mouseclick and choose the option ‘Export Files’,
followed by the location you want to dump this file.
Convert the hiberfile.sys to a memory-dump file
We know have the file exported, but we need to convert it to a readable format for memory
analysis tools like Volatility. In 2007, Matthieu Suiche started a project on this called ‘Sandman’.
2. This project was started to better investigate the hiberfil.sys file and what data could be
extracted. One of the scripts Matthieu wrote was able to convert the hiberfil.sys file into a
memory-dump format. This script and more was later adopted into Moonsols memory
dump/converting toolkit. Moonsol is offering a community and enterprise edition of this
toolkit. The community edition has the tool hibr2bin that is compatible with 32bit hibernation
files of XP/2003/2008 & Vista. After downloading the tool we are going to convert our
extracted hiberfil.sys file towards a bin file that can be used for analysis with volatility.
The usage of the tool is pretty straight forward:
Hibr2bin.exe <input file> <output file>:
After this has been completed we have a file that can be imported to Volatility.
Volatility
When using Volatility, I prefer to use a ‘forensic order’ of using the plugins:
Identify Image: plugin: imageinfo
Identify suspicious processes: plugin: pslist & psscan
Identify active/closed/hidden cons plugin: connections & connscan2, socks &
sockscan2
Identify suspicious dll’s, open/hidden/closed files: plugin: dlllist , files & fileobjscan
These plugins are followed by the plugin ‘malfind’ and others related to the case.