Windows – Where Windows store RAM data before hibernation

hibernatememorywindowswindows 7

As far as we know, RAM is a volatile memory that its data lost when the computer turned off. So when we want to hibernate our system, Windows must store its data in a file in HDD and then turn the computer off, and then in the moment we press turn-on button it imports that data to RAM again (from HDD).

Q1: Where windows store the RAM contents before hibernation? I mean where is the special location? Is it a file or not?! If it is a file, where is the path of its directory?

Q2: Can we modify that stored file to break some security rules of Windows? (For example changing the memory location that assigned to a program with the location that assigned to another program)
(for example using a Windows-Live disk or another windows that reside on that system"?)

Best Answer

Source Hibernation Exposes Vulnerabilities with Software Encryption

Where windows store the RAM contents before hibernation?

Hibernation allows you to power down a computer in a saved state. When hibernation is activated, your system takes a snapshot of your current session, saves it in a “hiberfil.sys” file on your hard drive and then powers down completely. When the computer is awakened, it reads the “hiberfil.sys” file and then starts up in the same state it was in prior to entering hibernation. The whole process takes a fraction of the time that it typically takes a computer to cold boot.

Can we modify that stored file to break some security rules of Windows?

Theorically yes.

If you have physical access to the machine you could remove the drive, mount in another computer, make changes, replace the drive, and restart the machine.

You cannot make changes without using a second computer or (as pointed out by Daniel B) using other boot managers/media on the original computer.

I don't know whether the hiberfil.sys file is checked for tampering before resuming from hibernation.

In addition see below for possible vulnerability regarding encryption keys.

Although convenient and reliable, a hibernating operating system can be exposed to some serious security flaws, especially if you are using software encryption applications like Bitlocker or TrueCrypt to secure private data stored on your local hard drive.

As stated previously, prior to entering hibernation mode the computer’s saved state information is written to a “hiberfil.sys” file and stored on your hard drive’s root directory. This “hiberfil.sys” file is basically a snapshot of your system’s RAM. If your encryption software is running when your system is put into Hibernation your encrypted data could be at risk.

From the article “Windows Hibernation and hiberfil.sys” published on the nti-Forensics website:

The Windows hiberfil.sys can also be an issue when using encryption software… …If a Windows system is placed into hibernation mode without unmounting encrypted containers or volumes then the encryption keys used to access these containers could be left in RAM in plain-text. RAM will then be saved to the hard drive in the hiberfil.sys. This means that you will be leaving the keys (passwords) to all of your private containers and volumes free for the finding.

So if your encrypted volume was left mounted when you put your computer into hibernation mode, the entire contents of your encrypted partition could be exposed if your hard drive is compromised and the attacker is able to extract the encryption keys from the “hiberfil.sys” file.