February 6, 2018
Why did we design the Windows hibernation infographic?
You can imagine how many emails we get about Windows hibernation files since we released Hibernation Recon. We noticed some misconceptions being repeated in these emails, so we decided to address them in an infographic that the digital forensics community could use as a resource and help us improve. We consider the infographic we are launching today to be the first version, as we already have more than enough interesting information to include on the reverse side of our second version.
Were we surprised by anything we learned while working on the infographic?
Well, yes. We had thought there must be some situations in which active hibernation files could be found encrypted, particularly based on some of the sample hibernation files our customers sent us which appeared to be encrypted. After enormous amounts of testing, we realized that these “encrypted” hibernation files were quite misleading – what we were actually seeing was the result of BitLocker “decrypting” zeroes from in-file TRIMming on SSDs.
Why did we build Hibernation Recon?
The environment in which we built Hibernation Recon in 2016 included digital forensics tools that either had absolutely no support, extremely limited support, or seriously broken support for processing Windows hibernation files. While working on multiple cases related to both domestic and international terrorism, in which maximum exploitation of electronic evidence was crucial, we could not accept the status quo. You don’t have to take our word for it, we can show you… while working on the Turkish Odatv case, we noticed nine hits (which appeared compressed) on “securedownload” within a hibernation file:
When we processed this hibernation file in multiple digital forensics tools, we searched their output for “securedownload” and found no hits:
When we processed this hibernation file with Hibernation Recon, we found 19 hits on “securedownload” in the output:
This was only the beginning. Beyond tools which had no or extremely limited support, we found significant bugs in popular tools which advertised support, from decompression and active memory reconstruction to an “off the table” bug that we found particularly concerning and addressed with the vendor in question. While some tools have improved their support for modern Windows (8/8.1/10) hibernation files, Hibernation Recon continues to be on the only tool that offers, for example, proper exploitation of the various levels (and types) of hibernation slack.
If you like how we are pushing the limits of what is possible in digital forensics with Hibernation Recon and our other tools, please support us. Testimonials and case examples from our users, letting colleagues know about our unique features, and having your organizations purchase our tools are greatly appreciated. Arm Yourself!
Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!
You may find (like Allan did) that immediately after launching disk images from Windows servers and workstations on the same network into virtual machines, they start talking to each other normally… or, much less often in our experience, you may find that they do not.
At Arsenal we know that questions can not only be dumb (we are reformed offenders), but given our experience in litigation, misleading and even weaponized to harm… without answers ever being involved. Lawyers know this, and if you are a digital forensics practitioner, you should too.
We have been working aggressively for the last month on an extension to our Windows authentication bypass that some of our colleagues in digital forensics will find quite shocking. While we continue this work, we have decided to launch another version of AIM with some new features requested by our customers.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions