TALLINN UNIVERSITY OF TECHNOLOGY School of Information Technologies Shaymaa Mamdouh Mohammed Radwan Khalil 177237IVCM ANALYSIS OF WINDOWS 10 HIBERNATION FILE Master’s thesis Supervisor: Hayretdin Bahsi Ph.D., Research Professor Pavel Tšikul Ph.D. Researcher Tallinn 2020 TALLINNA TEHNIKAÜLIKOOL Infotehnoloogia teaduskond Shaymaa Mamdouh Mohammed Radwan Khalil 177237IVCM WINDOWS PUHKEOLEKUFAILIDE ANALÜÜS magistritöö Juhendaja: Hayretdin Bahsi Ph.D., Research Professor Pavel Tšikul Ph.D. Researcher Tallinn 2020 Author’s declaration of originality I hereby certify that I am the sole author of this thesis. All the used materials, references to the literature and the work of others have been referred to. This thesis has not been presented for examination anywhere else. Author: Shaymaa Mamdouh Mohammed Radwan Khalil 19.05.2020 3 Abstract Since the reveal of Windows hibernation file structure by Mattieu Suiche late in 2007, the hibernation file became a valuable source of artifacts for digital forensics examiners. Starting from Windows 8, Microsoft changed the hibernation file structure. Therefore, many digital forensics tools are no longer supporting the direct analysis of modern hibernation files. The literature shows that the modern hibernation file almost loses its value once the system is resumed, as all the file’s content is zeroed, except the header. Such behavior modification of hibernation file content toward power state changes has caused some digital forensics practitioners to lose interest in including the file in their investigations. One of the aims of presenting this study is to raise awareness about the forensic value of Windows 10 hibernation file and highlight special considerations to be taken when processing the file. The study analyses the hibernation file structure of Windows 10 versions 1809, 1903, 1909, and provides an updated layout of the file. Moreover, this research documents the impact of different Windows 10 configurations on the hibernation file content. A predefined list of evidence was created to compare the output of hibernation file analysis using BEC, Magnet Axiom, and BlackLight tools. The thesis also evaluates alternative tools that could be used in the analysis of Windows 10 hibernation file. The study demonstrates that Windows 10 hibernation file is a valuable source of volatile evidence. The results of this research show that Windows 10 hibernation file contains valuable data related to running processes, opened connections, private browsing history, and other types of evidence that might not be found in a disk image. This research recommends considering the hibernation file as a memory image substitute, in case the memory image was not taken from live evidence, memory image corruption, or the device was found in hibernation or shutdown state. This thesis is written in the English language and is 121 pages long, including 7 chapters, 63 figures, and 30 tables. 4 List of abbreviations and terms ACPI Advanced Configuration and Power Interface BCD Boot Configuration Database BEC Belkasoft Evidence Center BIOS Basic Input Output System CR Control Register DFRWS Digital Forensics Research Workshop DHCP Dynamic Host Configuration Protocol EXIF Exchangeable Image File Format FAQ Frequently Asked Questions GDT Global Descriptor Table HORM Hibernate Once/Resume Many IDT Interrupt Descriptor Table MBR Master Boot Record N/A Not Available OS Operating System PC Personal Computer POST Power-on self-test RAM Random Access Memory SKM Secure Kernel Mode UEFI Unified Extensible Firmware Interface VAD Virtual Address Descriptors 5 Table of contents Author’s declaration of originality ................................................................................... 3 Abstract ............................................................................................................................. 4 List of abbreviations and terms ........................................................................................ 5 Table of contents .............................................................................................................. 6 List of figures ................................................................................................................. 10 List of tables ................................................................................................................... 12 1 Introduction ................................................................................................................. 14 1.1 Research Objectives ............................................................................................. 16 1.2 Scope .................................................................................................................... 17 1.3 Novelty ................................................................................................................. 18 2 Background .................................................................................................................. 19 2.1 Memory forensics ................................................................................................. 19 2.2 Power Management basics ................................................................................... 20 2.3 Hibernation file ..................................................................................................... 22 2.3.1 Entering hibernation state .............................................................................. 24 2.3.2 Resuming system from hibernation ............................................................... 24 2.3.3 File size and types ......................................................................................... 25 2.3.4 Usage ............................................................................................................. 26 2.3.5 File structure .................................................................................................. 27 2.3.6 Hibernation file security ................................................................................ 35 2.4 Related work ......................................................................................................... 36 2.5 Introduction to analysis Tools .............................................................................. 39 2.5.1 WinDbg ......................................................................................................... 39 2.5.2 FTK Imager ................................................................................................... 40 2.5.3 Hibr2Bin ........................................................................................................ 40 2.5.4 Hibernation Recon ......................................................................................... 42 2.5.5 Volatility ........................................................................................................ 43 2.5.6 Rekall ............................................................................................................. 44 2.5.7 Bulk_extractor ............................................................................................... 46 6 2.5.8 Passware Kit Forensic ................................................................................... 47 2.5.9 Belkasoft Evidence center ............................................................................. 48 2.5.10 BlackLight ................................................................................................... 50 2.5.11 Magnet Axiom ............................................................................................. 51 2.5.12 Hive Recon .................................................................................................. 53 3 Research Methods ....................................................................................................... 55 3.1 Variables ............................................................................................................... 55 3.1.1 Windows Version .......................................................................................... 55 3.1.2 Hibernation file type ...................................................................................... 57 3.1.3 System power state ........................................................................................ 57 3.2 Analysis Types ..................................................................................................... 58 3.2.1 Manual analysis ............................................................................................. 58 3.2.2 Analysis of hibernation file using tools ......................................................... 60 3.3 Test Cases ............................................................................................................. 61 3.3.1 Test Case A .................................................................................................... 61 3.3.2 Test case B ..................................................................................................... 62 3.3.3 Test case C ..................................................................................................... 62 3.3.4 Test case D .................................................................................................... 63 4 Manual analysis of Windows 10 hibernation file ........................................................ 66 4.1 Default Windows 10 settings ...............................................................................