Protect endpoint devices from swap and hibernation file data leaks

Many organizations are becoming very conscientious when it comes to protecting sensitive data.  The release of personally identifiable information (PII), electronic protected health information (ePHI), intellectual property, and authentication information (e.g., passwords) can be very damaging. However, there are two areas on Windows and Linux workstations that can inadvertently bypass many security controls — swap and hibernation files.

Swap areas on local disk are used by the operating system to expand the amount of memory available. This is done by swapping information from RAM to disk as processing requirements dictate. This means that anything in memory is subject to be written to the swap space. PII, ePHI, passwords, and encryption keys can sometimes find their way into an unencrypted swap file. This is good news for forensics investigators but bad news for companies under attack. 

Access to a swap file can provide information not readily available through normal system access.  Even information that isn't stored in local storage can find its way to the swap file prior to being written to a secure network location. A variety of common disk utilities can be used to access this information.

Hibernation files are used by operating systems such as Microsoft Windows to write the contents of memory to disk when a workstation, particularly a laptop, goes into sleep or hibernation mode.  Like swap files, hibernation files can contain a significant amount of sensitive information.

Controlling swap and hibernation file contents is critical to protecting sensitive information. Here are some things to consider to prevent swap and hibernation data leakage:

  • Don't use swap files: If you have a system that processes sensitive information, consider installing enough RAM to make swapping information to disk unnecessary. This can be turned off in Windows XP by following this process. Steps for disabling swap in Linux are found here.
  • Turn off hibernation: I haven't found hibernation to be very useful — at least not useful enough to make up for the risk of compromising sensitive data. Steps for disabling hibernation and deleting the hibernation file for Windows XP are found here
  • Clear swap files after use: Swapped data in a Windows XP environment is stored in Pagefile.sys. This file can be cleared each time the system is powered down by setting the following registry value to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown

You can find instructions on how to do this in Microsoft Knowledge Base article 314834. It's important to note that the shutdown period increases when this is set. The increase depends on the size of the paging file.

Swap areas in a Linux environment are actual partitions. The following commands will wipe a swap partition.

This writes random data to the swap partition. Be sure hda1 is the swap partition before you run this. Otherwise, you might be dusting off the last backup to restore production data.

  • Proactively manage the swap file:  Utilities such as BCWipe provide functionality that protects data stored in swap files — including encryption.

Regardless of how you decide to handle these vulnerable storage areas, be sure to include them in your endpoint security risk assessments.

About Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox