You can use Windows Hibernate to conserve batteries, electricity, save the environment, the world and the polar bears!
However, did you know that by putting your computer into “hibernation” mode you are essentially creating a snapshot of the contents of your computers RAM which is then saved to the root of the hard drive as “hiberfil.sys”?
This means that current running applications and other data in RAM will be written to the hard disk. This is a pretty serious privacy risk and by not using this feature you are in effect implementing an anti-forensics technique.
For example, if you happened to have been browsing the web and had not closed your web browser before choosing to hibernate,then textual strings such as the last Google search you performed or text from an open web page will be written to your hard drive as the computer “hibernates”. This makes the Windows hibernation file a great source of information for computer forensic examiners.
The Windows hiberfil.sys can also be an issue when using encryption software such as TrueCrypt. If a Windows system is placed into hibernation mode without unmounting encrypted containers or volumes then the encryption keys used to access these containers will likely be left in RAM in plain-text. RAM will then be saved to the hard drive in the hiberfil.sys. This means that you will be leaving the keys (passwords) to all of your private containers and volumes free for the finding.
Now, for some actual testing. I will leave a demonstration of TrueCrypt and the hiberfil.sys for a later article. What I’ve done for this article is setup a new Windows XP system with hibernation mode enabled as can be seen in the screenshot below.
Windows Hibernate
I then accessed Internet Explorer and performed a Google search for “how to destroy a hard drive”.
Google Search "how to destroy a hard drive"
Leaving the search engine results page open in the browser, I placed the machine into hibernation mode from the menu seen below.
Windows Hibernate
The drive was then accessed as a secondary storage medium (plugged into another computer through a USB connection with write protection enabled) and the hiberfil.sys itself was extracted using FTK Imager on another system.
hiberfil.sys
Finally, I loaded the hiberfil.sys into a standard hex editor “HxD” and ran a string search for “how+to” to see if the URL for the Google search I performed was in fact stored in the hiberfile.sys.
HxD hiberfil.sys
As you can see from the screenshot above, the URL for the Google search that I performed was located in the hiberfil.sys.
If you use hibernation mode you are vulnerable to this sort of attack. You may inadvertently divulge trade secrets to a malicious hacker who copies your hiberfil.sys or just as easily incriminate yourself if your computer is seized and forensically examined.
You can stop examination of this file by just not using hibernation mode. If you insist on using this feature then you should also implement full disk encryption like what you would find with TrueCrypt which is mentioned in many of the other anti-forensics articles on this website.
You will need to be aware of the fact that data can still be dumped from RAM itself after your computer has been turned off. This is possible for up to 35 seconds at normal operating temperatures. If the RAM sticks are cooled to less than 50 degrees Celsius then it is possible to perform a data dump from RAM up to hours later with some forms of RAM.
So, has anyone created any software to parse the data in the hiberfil.sys?
Yes, the Sandman Project is a library which assists in parsing data from the hiberfil.sys. I’m sure there are others and if you know of any, don’t hesitate to leave a comment. I have not personally used the library from the Sandman Project but from what I’ve read it works fairly well.
Disable Hibernation mode on Windows XP:
- Right-click empty area on desktop
- Choose “Properties”
- Select the “Screen Saver” tab
- Click “Power…”
- Select the “Hibernate” tab
- Uncheck “Enable hibernation”
Disable Hibernation mode on Windows 7:
- Open “Control Panel”
- Click “Power Options”
- Click “Change plan settings” for you current power plan
- Click “Change advanced power settings”
- Expand “Sleep”
- Expand “Hibernate after”
- Enter “0″ for “Setting:” to set hibernate to “Never”
I am waiting for the true crypt/hibernation article! I have disabled hibernation since reading this even though I don’t use it, at least I don’t think I do. Maybe when I just close the lid on my laptop it was doing this.
Hey ST, it is very possible that your laptop was set to hibernate when the lid was closed. Does a hiberfil.sys file exist on the root of your system partition? Usually “C:”
maybe a batch on desktop can resolve this problem:
###############################################################
taskkill /IM iexplore.exe /F
taskkill /IM firefox.exe /F
“C:\Program Files\TrueCrypt\TrueCrypt.exe” /dismount /quit
rundll32.exe PowrProf.dll, SetSuspendState Hibernate
###############################################################
and you can add ccleaner utility:
“C:\Program Files\CCleaner\CCleaner.exe” /AUTO
ofcourse before set, at least, DOD 5220-22-M in configuration.
at last this is my best secure final batch keeping almost the same speed as the original hibernation.
powercfg at start create file hiberfil.sys and at end delete from disk when powerup from hibernation. =)
————————————————————————————–
@echo off
powercfg.exe /hibernate on
taskkill /IM iexplore.exe /F
taskkill /IM firefox.exe /F
“C:\Program Files\CCleaner\CCleaner.exe” /AUTO
“C:\Program Files\you_truecrypt_directory\TrueCrypt.exe” /dismount /quit
rundll32.exe PowrProf.dll, SetSuspendState Hibernate
powercfg.exe /hibernate off