So, Microsoft is touting that their new OS (Windows 8) will boot up "30-70%" faster than any of their previous OS's. While this is super exciting for normal users (sad for us who use the long boot up times to go for a cup of coffee), it is very interesting for forensic investigators.
So, the way Microsoft does this is creating a 'mini' hiberfil, catching just the kernel session during a shutdown. What is the hiberfil? If you ever hibernate your computer, the OS creates a file called hiberfil.sys which is essentially a snapshot of the machines state and a compressed form of what is residing in memory at the time of hibernation. This way when you get your computer out of hibernation, it is very quick to restore and things were as you left it.
You can see an article about the "hiberfil.sys" from hibernation and what can be extracted from it here.
So now imagine being able to use a hiberfil for boot-up, most of the kernel level stuff is already setup and ready to go, thereby cutting down immensely on driver setup and initialization. (See the link for a pretty diagram).
What does this mean for forensics? Always being able to have a hiberfil means having a portion (not sure how much- the article was a bit fuzzy on this) of RAM to extract and run your favorite memory analysis tool on. At the very least it will have some tasty kernel-level information very useful for rootkit/malware finders.
I guess we shall see come the release of Windows 8!
So, the way Microsoft does this is creating a 'mini' hiberfil, catching just the kernel session during a shutdown. What is the hiberfil? If you ever hibernate your computer, the OS creates a file called hiberfil.sys which is essentially a snapshot of the machines state and a compressed form of what is residing in memory at the time of hibernation. This way when you get your computer out of hibernation, it is very quick to restore and things were as you left it.
You can see an article about the "hiberfil.sys" from hibernation and what can be extracted from it here.
So now imagine being able to use a hiberfil for boot-up, most of the kernel level stuff is already setup and ready to go, thereby cutting down immensely on driver setup and initialization. (See the link for a pretty diagram).
What does this mean for forensics? Always being able to have a hiberfil means having a portion (not sure how much- the article was a bit fuzzy on this) of RAM to extract and run your favorite memory analysis tool on. At the very least it will have some tasty kernel-level information very useful for rootkit/malware finders.
I guess we shall see come the release of Windows 8!
No comments:
Post a Comment