Windows hiberfi.sys...
 
Notifications
Clear all

Windows hiberfi.sys forensics (xpress compression)

4 Posts
3 Users
0 Likes
416 Views
(@mrthaggar)
Posts: 11
Active Member
Topic starter
 

Hello all

I'm currently working on my university final year project which is file carving artefacts from Windows hibernation files (hiberfil.sys).

I'll try to keep this post brief but I'm more than happy to discuss it at length.

In order to keep the file size of the hiberfil.sys files down to a minimum, they use a modified version of the LZ77 compression algorithm to compress blocks of data (approx 64KB in size)

I've written my file carver and decode/decompression program but I'm having problems with decompressing the data inside the compressed 'xpress' blocks.

I've based my algorithm on the 'Sandman' project that was released a few years ago but I'm trying to implement the decompression myself, rather than relying on existing tools.

If anyone has any information or experience in dealing with either hiberfil.sys internals or the Microsoft 'xpress' compression I'd appreciate any advice you can provide.

My main problem comes from reading in the first 32-bit bitmask (If you know what I'm talking about I'd love to hear your thoughts ))

Thanks very much

Tony

 
Posted : 21/01/2011 5:33 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Something that may give you useful hints (or completely fail to)
http//reboot.pro/5308/
this might be the most interesting reference
http//reboot.pro/5308/page__st__16
i.e. it translates "XPRESS" to "win2k3"
and gives a reference to the actual MS documentation.

Additionally, since 7-zip can manage "XPRESS" comressed data, it's source should be a "right" place to look into.

jaclaz

 
Posted : 21/01/2011 6:47 pm
(@mrthaggar)
Posts: 11
Active Member
Topic starter
 

Thanks jaclaz

I've alredy been through those documents and it's some interesting reading.

I need to answer a very particular question about the xpress structure.

I'll take a look into 7-zip again.

Thanks

 
Posted : 21/01/2011 7:39 pm
 96hz
(@96hz)
Posts: 143
Estimable Member
 

http//sandman.msuiche.net/docs/SandMan_Project.pdf

 
Posted : 22/01/2011 12:36 am
Share: