β\\.\PhysicalMemoryβ; a second device, β\\.\DebugMemoryβ
C:\hiberfil.sys
C: \pagefile.sys
C:| swapfile. sys
C: Windows\ memory.dmp
RAM
hyperfil.sys
RAM dump at the moment of hypernation. To turn it on: powercfg.exe /hibernate on
. Doesn’t work on VMs. When the laptop turns back on, these files are filled with 0s (leaving 4K at the beginning only). The only way to get this file - get the HDD.
π‘ So, before performing the live acquisition, think twice: what would be more valuable for you…?
Structure:
Field | Content |
---|---|
Header | PO_MEMORY_IMAGE structure |
Page list | An array of physical page |
Processor State | CONTEXT + KSPECIAL_REGISTERS |
Memory Range Array n | Header: NextTable page, Number of entries. Entries: Destination page + Checksum. |
Xpress compressed block p | Magic \x81\x81xpress (>Win2K). Compressed data |
Xpress compressed block p+1 | |
Memory Range Array n+1 | |
Win8+ - new file format.
Not as common, but just as good. imagecopy
plugin converts different formats into raw format to speed up. Hiberfile - compressed. Determine the OS profile and run the plugin.
vol.py -f crash.dmp --profile=Win7SP2x64 imagecopy -O crash2mem.raw
vol.py -f hyberfil.sys --profile=Win7SP2x64 imagecopy -O hibir2mem.raw
C:\hiberfil.sys
C:\Memory.dmp
What is hyberfil.sys. Two types of compression.
imageinfo
- to identify the profile for memory image. Running vol.py imageinfo -f hiberfil.sys
is slow and inefficient. No profiles were sugested. But when we have a live capture of a system, we can use this dump to determine the profile to perfom actions with the right profile on hyberfil.sys
.
pagefile.sys
When Windows system runs out of RAM, it uses HDD space to temporarily store the data from RAM. To acquire it from a live system: use https://ericzimmerman.github.io/#!index.md or FTK Imager. Get separate files using PhotoRec or using a Hex redactor (for example, 101 Editor). This file is deleted on reboot.
Properties:
Hidden | True | Owner SID | S-1-5-32-544 |
---|---|---|---|
System | True | Owner Name | ΠΠ΄ΠΌΠΈΠ½ΠΈΡΡΡΠ°ΡΠΎΡΡ |
Read Only | False | Group SID | S-1-5-18 |
Archive | True | Group Name | SYSTEM |
To copy this file use RawCopy64.exe /FileNamePath:c:\pagefile.sys
.
To parse this file:
strings pagefile.sys | egrep "^https?://" # show URLs found in memory
strings pagefile.sys | grep -i "^[a-z]:\\\\" # file paths used are shown
strings pagefile.sys | grep -i "^[a-zA-Z09_]*=.*" # env vars
Apply yarn rules against pagefile
.
VMEM
python3 vol.py -f 1.vmem windows.vadinfo.VadInfo
to view Virtual Address Descriptors (VAD).
References
[1] Magnet
[2] SDF Memory Forensics