Hibernation Files of Windows 8 and 10 Analysis

Sylve JT, Marziale V, Richard III GG published the article “Modern Windows Hibernation File Analysis”. It is good work and we recommend to read the article. They provide info about new format of HIBERFIL.SYS  that is used in Windows 8, 8.1, and 10.

Get more info.

Starting with Windows 2000, Microsoft introduced the hibernation feature that allows the operating system to store the current state of operation when you turn off the computer, or the system goes into sleep mode. When hibernation everything from memory is copied to the disk in a file called hiberfil.sys, when the computer is restored, the system moves to the saved state.

Hibernation files are a good source of information for digital forensic practitioners, as they store data in RAM file without having to run special tools.

Programs like Rekall Volatility and make it easy to analyze the hibernation file in the same way as a memory dump. The first file is a sleeping Windows XP Mode format was documented Nicolas Ruff and Matthieu Suiche the presentation in 2007. However, in 2012, with the release of Windows 8 hibernation file format has been changed, and all of the existing methods of analysis have lost relevance.

At the end of September 2016 Mathieu Suiche announces Hibr2Bin, which supports Windows 8, 8.1, and 10. Hibr2Bin – a tool to convert Windows hibernation file, in raw image memory, after which they can be analyzed using a memory analysis tool.

Joe T. Sylve, Vico Marziale, Golden G. Richard, III conducted an analysis and found that Hibr2Bin can not properly process the files from hibernation latest version of Windows. With the help of the popular tools of forensic medical examination, the development version of BlackLight 2016 R3, the researchers created a memory image and compared them with images obtained in Hibr2Bin. Most of the images created using Hibr2Bin were identical to those created by using them. However, images from the latest versions of Windows, Windows 10, v1607, made a completely different images.

Thus the results of the analysis carried out by the researchers are a number of important implications for the experts to analyze the machines running Windows 8, 8.1 and 10. In connection with the changes in the hibernation file, which stores information between sleep mode and the first turning on the power, while in previous versions of Windows data will be present until the next event hibernation. In this regard, the following consequences:

• Hibernation file is no longer a reliable source of information on the state of the machine. In older versions of Windows, hibernation files can contain data from several months or even years.
• Collect the hibernation file on the machine is running at the moment is largely useless as the power to the machine resets the main part of the hibernation file.
• Command disables / is normally used for Off remote systems on the networks system that run down so will contain no sleep mode data. Similarly, turning off The system by turning off the power or “pulling the plug” will not leave any data hibernation.
• It seems that the most common way to power down systems are using a graphical interface. System shutdown in a manner or by switching off / S / hybrid. The team will have only partial data hibernation. While the images may still contain valuable forensic data, lack of User Land memory limit analysis. Only a subset of core structures, which still do not live in the liberated pages.
• When turning off the system power, forcing hibernation via team off / preserves the greatest volume hibernation data.

See too Uncompress hiberfil.sys with Hibr2bin.