jessekornblum (jessekornblum) wrote,

Hibernation File Signatures

There are four legal values for the magic value at the start of the Windows hibernation file. This post details the values, hibr, (null), wake, and link, and the circumstances under which they are created. They represent, in order, valid hibernation data, successfully restored hibernation data, unsuccessfully restored hibernation data, and a link to a hibernation file elsewhere. During this work I also found three noteworthy things about the hibernation process.

The file format of the Windows hibernation file begins with a PO_MEMORY_IMAGE structure. This structure begins with a four byte magic value. Matt Suiche and others have written that this magic field can take on several values, but only two have been explained. The first value, hibr or HIBR indicates the file contains valid hibernation data. (The uppercase version is found on Windows Vista and later.) The other known value, all zeros, indicates the file has been previously successfully restored. In fact, when the file has been successfully restored, the first 0x1000 bytes of the file should all be zeros.

The other values thought to be legal in a hibernation file, wake and link, indicate either a failed restore operation or a link to another partition's hiberfil.sys file. This post explains how these methods work and provides methodologies for creating them.

These experiments were conducted using a VMware Fusion virtual machine running Windows XP Service Pack 3. The system was booted and hibernated normally. The virtual disk was mounted and the hibernation file was recorded. Here's the start of the hiberfil.sys:
0000000: 6869 6272 0000 0000 13f6 0000 a800 0000  hibr............
0000010: 5a5b 0000 0010 0000 0000 0000 0000 0000  Z[..............
0000020: 1aea 39fe 1320 ca01 d431 cc19 0000 0000  ..9.. ...1......
0000030: ff3f 03a0 0200 0000 1000 0000 0000 beff  .?..............
0000040: 00bf 0601 0000 0000 0003 0000 5045 0000  ............PE..
0000050: c6fb 0000 3d84 0000 0300 0000 5584 0000  ....=.......U...
0000060: 8145 839d 0000 0000 58f0 ef1e 0200 0000  .E......X.......
0000070: fe01 9004 0000 0000 797f 0e3f 1900 0000  ........y..?....
0000080: 3409 0000 9304 0000 2100 0000 c70f 0000  4.......!.......
0000090: 482d 0000 3d84 0000 20d4 3908 dd08 0000  H-..=... .9.....
00000a0: 0300 0000 0000 0000 0000 0000 0000 0000  ................
The virtual machine was restarted and allowed to begin restoring. When the progress bar was just shy of completion the VM was powered off. The virtual disk was mounted again and the hibernation file recorded. The second hibernation file was identical to first except for the first four bytes. Those four bytes had changed from hibr to wake:
0000000: 7761 6b65 0000 0000 13f6 0000 a800 0000  wake............
0000010: 5a5b 0000 0010 0000 0000 0000 0000 0000  Z[..............
0000020: 1aea 39fe 1320 ca01 d431 cc19 0000 0000  ..9.. ...1......
0000030: ff3f 03a0 0200 0000 1000 0000 0000 beff  .?..............
0000040: 00bf 0601 0000 0000 0003 0000 5045 0000  ............PE..
0000050: c6fb 0000 3d84 0000 0300 0000 5584 0000  ....=.......U...
0000060: 8145 839d 0000 0000 58f0 ef1e 0200 0000  .E......X.......
0000070: fe01 9004 0000 0000 797f 0e3f 1900 0000  ........y..?....
0000080: 3409 0000 9304 0000 2100 0000 c70f 0000  4.......!.......
0000090: 482d 0000 3d84 0000 20d4 3908 dd08 0000  H-..=... .9.....
00000a0: 0300 0000 0000 0000 0000 0000 0000 0000  ................
The VM was again restarted and it displayed a message, "The last attempt to restart the system from its previous location failed. Attempt to restart again?" The options given were "Delete restoration data and proceed to system boot menu" and "Continue with system restart" (Screenshot).

Researchers attempting to verify this result can also hibernate a system, manually edit the hibernation file while it's powered off, and then restart the system to achieve the same effect. Although this will allow you to see how Windows handles the file, it does not allow you to verify that Windows creates this file.

The link code allows the system to boot another hibernation file found elsewhere. According to the blog post How Windows Starts Up (Part the Second) , the link signature should be followed by an ARC path similar to those found in the boot.ini file, like this:

linkmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Note there is no space between the link signature and the ARC path. The ARC path specifies another partition where the bootloader searches for a hiberfil.sys file to restore.

There are three other noteworthy facts I discovered during this research. First, I found some information on Hibernate Once Restart Many (HORM) mode. This is a feature of Windows XP embedded that allows the system to be booted multiple times using the same hibernation file. HORM mode depends on the Enhanced Write Filter (EWF) which is not included with other editions of Windows XP. There are methods to enable HORM on Windows XP, but they are cumbersome at best. The best indicator of HORM mode is the presence of a file resmany.dat in the root directory. See also Microsoft's description of HORM and the official documentation.

Second, I verified that a Windows system will attempt to parse or even restore the contents of hiberfil.sys, even if Hibernation mode is not enabled in the Control Panel.

Finally, hibernation is not supported on any Windows XP, Server 2003, Vista, or Server 2008 system with more than 4GB of RAM. See http://support.microsoft.com/kb/888575/ for details.
Tags: forensics, memory analysis
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded  

  • 6 comments