Feature : Hibernation Layer and plugins.

[forensicxlab]

Hello,

• Adding a new translation layer and plugins to allow modern Windows (Win8-Win11) hibernation file conversion to a raw memory image
• Adding new codecs : LZ77, LZ77Huffman decompression algorithms.

Details about the feature : https://www.forensicxlab.com/posts/hibernation/

Best regards.

[ikelos]

Thanks very much for your contribution! This is quite a big change, so may take us some time to review (I also need to pull in some of the other guys who wrote our previous hibernation code to check it). So please don't despair, but this may take us some time...

[forensicxlab]

Hello @ikelos,

Finally found some time to make adjustments to the code.
Added a bunch of comments for better readability for the reviewer(s).

I still have doubts about some of my choices for the implementation 🧐
Any news on your side about this PR review ?

Kind regards,
Félix.

[ikelos]

Thanks Félix, unfortunately the chap that knows the hibernation stuff best ( @awalters ) is a little busy at the moment, so we haven't made much progress with it, but we haven't forgotten about it either. Could you describe your worries about the implementations choices you're not sure about please and hopefully one of us will be able to check out your concerns?

[forensicxlab]

I wonder what's the best way to integrate algorithms into the "codecs" from the framework standpoint.
What are your recommandations about that ? Should I implement algorithms In seperate files ? I feel like I should but I have put both algorithms here for now :)

[ikelos]

Yeah, I'd probably put them both in different files, but there needs to be a way to register them (either the main code seeks them out, or they add themselves to a shared singleton object when they're imported). I don't know if it'll be overkill, but it might be pretty cool to build them into the existing python codec framework?

https://docs.python.org/3/library/codecs.html

[forensicxlab]

Thanks, I'll get right on that.

[forensicxlab]

The fact that this translation layer is meant to be used with the hibernation.Dump plugin makes me feel bad about this part.
Indeed the FirstKernelRestorePage and KernelPagesProcessed offsets can only be determine via the user input for now.

Is making a translation layer partially dependant to a plugin is an acceptable concept in the volatility3 framework ?

This concept is working well with this implementation and seems to have no side effects from all the tests I've made but an external eye from your side will be delightful :D I propably missed something.

[ikelos]

If this is the only requirement for the layer, then make it a requirement (like the kernel_virtual_offset for Intel layers), then anything can instantiate it as long as they provide the right version number for the layer (it might be better if the layer could figure it out for itself, but if not then ask the instantiator to provide it).

[forensicxlab]

Did not find a way to figure the version out by itself in my research at time of writing, I'll look at what’s done in the Intel layer thanks for the tip!

[ikelos]

Probably add a PluginRequirement and that should do you. 5:)

[forensicxlab]

The Idea here is to check if the HibernationLayer is indeed stacked before trying to make the conversion to the raw file using the layerwriter plugin. Feel like it's ugly though, did not find another cleaner way right now. I'll be happy to have your insights :D

[ikelos]

I mean, that's ok and it does reuse the LayerWriter class rather than implementing itself. If this whole plugin doesn't do anything other than call layerwriter, why don't we just document that to write out a hibernation layer, you should use layerwriter? A specific plugin for a specific layer type doesn't make a lot of sense? We might be able to update layerwriter so you can easily ask it to write all layers of a particular type (so you could say write out all HibernationLayer layers or something)? Essentially, improve the UI of the existing plugin to avoid the need for the new plugin.

[forensicxlab]

That's a very interesting idea.

I’ll leave both plugins in this PR so that the tests by the reviewer(s) can all be done on this branch. If the conclusion goes indeed in this way, I will implement your idea as soon as I can in a dedicated PR (if not proposed by somebody else in time :-) )

[forensicxlab]

Thanks Félix, unfortunately the chap that knows the hibernation stuff best ( @awalters ) is a little busy at the moment, so we haven't made much progress with it, but we haven't forgotten about it either. Could you describe your worries about the implementations choices you're not sure about please and hopefully one of us will be able to check out your concerns?

Hi @ikelos,
I've added some comments about some of my worries and questions :D

Thank you for your quick responses every time.

Kind Regards.
Félix.

[KamilPacanek]

FYI, just used that one on my local vol3 installation during the weekend and must say worked flawlessly. I could convert with no issues the hiberfil.sys to the raw image file that can be analyzed later with vol3 plugins.
Thank you @forensicxlab, you're my savior 💚

EDIT:
As a bonus, it helped me tremendously at first stage of solving HTB CTF challenge: https://blog.cyberethical.me/htb-cyber-apocalypse-forensics-oblique-final, I really wish the PR got completed soon :) !

[ikelos]

Thanks for the feedback, much appreciated! This is still waiting on @awalters for review at the moment, but we'll get to it once things have calmed down for everyone... 5:)

[k1nd0ne]

Hello,
Implemented a version using python3 codecs. Still not happy with the performances though.

Since I have a bit of time, I am working on a native python extension module using pyo3 for the decompression algorithms.

The decompression speed is already a lot better with a pyo3 version of the xpress_lz77_plain_decompression algorithm tested.

Currently working on the xpress_lz77_huffman rust binding before updating this PR.

To be continued...

[ikelos]

Ok, good luck! We'd probably need the codecs to be a separate package that we depend on if they're available. Otherwise the native python ones are better from the perspective of being able to get them usable (perhaps even trying to load the rust ones and then falling back to native python)? I'm not keen on requiring rust to be able to use volatility...

Still looks really interesting and perhaps @awalters will want to check this out and see if it handles hibernation files, since I think he handled it in volatility 2...

[k1nd0ne]

Hello @ikelos,

Just finished the implementation of the algorithms + packaging:

• https://pypi.org/project/xpress-lz77/
• https://github.com/forensicxlab/xpress_lz77

Performances are now a lot better for the conversion of the hibernation file.

It will also be useful for the prefetch plugin. I will post a PR for it if you are happy with adding xpress_lz77 in the requirements.

Python 3.8 is required though, making some checks failed. Updated the pipeline, but I can still go back if we choose to check if the requirement is present for this translation layer (like in the cloudstorage/pcileech layers for example).

Freezing to this point for now :)

FYI: Rust will not be needed as a requirement to run volatility3

Thanks you!