β\\.\PhysicalMemoryβ; a second device, β\\.\DebugMemoryβ
C:\hiberfil.sys
C: \pagefile.sys
C:| swapfile. sys
C: Windows\ memory.dmp
RAM
hyperfil.sys
RAM dump at the moment of hypernation. To turn it on: powercfg.exe /hibernate on. Doesn’t work on VMs. When the laptop turns back on, these files are filled with 0s (leaving 4K at the beginning only). The only way to get this file - get the HDD.
π‘ So, before performing the live acquisition, think twice: what would be more valuable for you…?
Structure:
| Field | Content |
|---|---|
| Header | PO_MEMORY_IMAGE structure |
| Page list | An array of physical page |
| Processor State | CONTEXT + KSPECIAL_REGISTERS |
| Memory Range Array n | Header: NextTable page, Number of entries. Entries: Destination page + Checksum. |
| Xpress compressed block p | Magic \x81\x81xpress (>Win2K). Compressed data |
| Xpress compressed block p+1 | |
| Memory Range Array n+1 | |
Win8+ - new file format.
Not as common, but just as good. imagecopy plugin converts different formats into raw format to speed up. Hiberfile - compressed. Determine the OS profile and run the plugin.
vol.py -f crash.dmp --profile=Win7SP2x64 imagecopy -O crash2mem.raw
vol.py -f hyberfil.sys --profile=Win7SP2x64 imagecopy -O hibir2mem.raw
C:\hiberfil.sys
C:\Memory.dmp
What is hyberfil.sys. Two types of compression.
imageinfo - to identify the profile for memory image. Running vol.py imageinfo -f hiberfil.sys is slow and inefficient. No profiles were sugested. But when we have a live capture of a system, we can use this dump to determine the profile to perfom actions with the right profile on hyberfil.sys.
pagefile.sys
When Windows system runs out of RAM, it uses HDD space to temporarily store the data from RAM. To acquire it from a live system: use https://ericzimmerman.github.io/#!index.md or FTK Imager. Get separate files using PhotoRec or using a Hex redactor (for example, 101 Editor). This file is deleted on reboot.
Properties:
| Hidden | True | Owner SID | S-1-5-32-544 |
|---|---|---|---|
| System | True | Owner Name | ΠΠ΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΡ |
| Read Only | False | Group SID | S-1-5-18 |
| Archive | True | Group Name | SYSTEM |
To copy this file use RawCopy64.exe /FileNamePath:c:\pagefile.sys.
To parse this file:
strings pagefile.sys | egrep "^https?://" # show URLs found in memory
strings pagefile.sys | grep -i "^[a-z]:\\\\" # file paths used are shown
strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" # env vars
Apply yarn rules against pagefile.
VMEM
python3 vol.py -f 1.vmem windows.vadinfo.VadInfo to view Virtual Address Descriptors (VAD).
References
[1] Magnet
[2] SDF Memory Forensics