Browse > Article
http://dx.doi.org/10.13089/JKIISC.2017.27.5.1013

Study on Memory Data Encryption of Windows Hibernation File  

Lee, Kyoungho (Chonnam National University Interdisciplinary Program of Information Security)
Lee, Wooho (Chonnam National University Interdisciplinary Program of Information Security)
Noh, Bongnam (Chonnam National University Interdisciplinary Program of Information Security)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.27, no.5, 2017 , pp. 1013-1022 More about this Journal
Abstract
Windows hibernation is a function that stores data of physical memory on a non-volatile media and then restores the memory data from the non-volatile media to the physical memory when the system is powered on. Since the hibernation file has memory data in a static state, when the attacker collects it, key information in the system's physical memory may be leaked. Because Windows does not support protection for hibernation files only, we need to protect the memory that is written to the hibernate file. In this paper, we propose a method to encrypt the physical memory data in the hibernation file to protect the memory data of the processes recorded in the hibernation file. Hibernating procedure is analyzed to encrypt the memory data at the hibernating and the encryption process for hibernation memory is implemented to operate transparently for each process. Experimental results show that the hibernation process memory encryption tool showed about 2.7 times overhead due to the crypt cost. This overhead is necessary to prevent the attacker from exposing the plaintext memory data of the process.
Keywords
Physical Memory; Memory Encryption; Hibernation File;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Hewlett-Packard Corporation, Intel Corporation, Microsoft Corporation, Phoenix Technologies Ltd., and Toshiba Corporation, "Advanced Configuration and Power Interface Specification," Nov. 2013.
2 Mark E. Russinovich, David A. Solomon, and Alex Ionescu, Windows Internals, 6th Ed., Acorn Publishing Co., Volume 2, pp. 150-153, Apr. 2014.
3 S. Mrdovic and A. Huseinovic, "Forensic Analysis of Encrypted Volumes Using Hibernation File," 19th Telecommunications forum TELFOR, pp. 1277-1280, Nov. 2011.
4 F. Olajide, N. Savage, G. Akmayeva, and C. Shoniregun, "Digital Forensic Research - The Analysis of User Input on Volatile Memory of Windows Application," IEEE World Congress on Internet Security, pp. 231-238, Aug. 2012.
5 S.M. Hejazi, C. Talhi, and M. Debbabi, "Extraction of forensically sensitive information from windows physical memory," Digital Investigation, vol. 6, Supplement, pp. 121-131, Sep. 2009.   DOI
6 J.A. Halderman, S.D Schoen, N. Heninger, W. Clarkson, W. Paul, J.A. Calandrino, A.J. Felten, J. Appelbaum, and E.W. Felten, "Lest We Remember: Cold Boot Attacks on Encryption Keys," 17th USENIX Security Symposium, pp. 45-60, Jul. 2008.
7 The Volatility Foundation, "The Volatility Framework," http://www.volatilityfoundation.org/, Dec. 2016.
8 The Rekall Team, "The Rekall Memory Forensic Framework," http://www.rekall-forensic.com/, Aug. 2017.
9 Comae Technologies, "Hibr2Bin," https://github.com/comaeio/Hibr2Bin, Apr. 2017.
10 M. Suiche, "Windows hibernation file for fun 'n' profit," Black Hat, USA, Aug. 2008.
11 B. Dolan-Gavitt, "Add Support for Inactive Hiberfiles to Hibinfo," https://github.com/volatilityfoundation/volatility/commit/552c1d813b05a0bf8d3d1ec1f64b3ba5f98403cc, Apr. 2009.
12 Microsoft Technet, "BitLocker Drive Encryption," https://technet.microsoft.com/en-us/library/a2ba17e6-153b-4269-bc46-6866df4b253c, May 2010.
13 Truecrypt Foundation, "TrueCrypt: Free Open-Source Disk Encryption Software for Windows, Mac OS and Linux," http://truecrypt.sourceforge.net, May 2014.
14 idrix, "VeraCrypt," https://www.veracrypt.fr/en/Home.html, Oct. 2016.
15 idrassi, "Hibernation File," https://veracrypt.codeplex.com/wikipage?title=Hibernation%20File, Nov. 2014.
16 B. Lich and J. Tobin, "BitLocker frequently asked questions (FAQ)," https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-frequently-asked-questions, Apr. 2017.
17 M. Loginova, E. Trofimenko, O. Zader eyko, and R. Chanyshev, "Program-technical aspects of encryption protection of users' data," 13th International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET), pp. 443-445, Feb. 2016.
18 Microsoft, "[MS-XCA]: Xpress Compression Algorithm," https://msdn.microsoft.com/en-us/library/hh554002.aspx, Jun. 2017.
19 Mark E. Russinovich, David A. Solomon, and Alex Ionescu, Windows Internals, 6th Ed., Acorn Publishing Co., Volume 2, pp. 404-408, Apr. 2014
20 Microsoft MSDN, "ExRegisterCallback routine," https://msdn.microsoft.com/enus/library/windows/hardware/ff545534(v=vs.85).aspx, 2017.
21 hiyohiyo, "CrystalDiskInfo," https://crystalmark.info/download/index-e.html, Aug. 2017.