February 6, 2018
Why did we design the Windows hibernation infographic?
You can imagine how many emails we get about Windows hibernation files since we released Hibernation Recon. We noticed some misconceptions being repeated in these emails, so we decided to address them in an infographic that the digital forensics community could use as a resource and help us improve. We consider the infographic we are launching today to be the first version, as we already have more than enough interesting information to include on the reverse side of our second version.
Were we surprised by anything we learned while working on the infographic?
Well, yes. We had thought there must be some situations in which active hibernation files could be found encrypted, particularly based on some of the sample hibernation files our customers sent us which appeared to be encrypted. After enormous amounts of testing, we realized that these “encrypted” hibernation files were quite misleading – what we were actually seeing was the result of BitLocker “decrypting” zeroes from in-file TRIMming on SSDs.
Why did we build Hibernation Recon?
The environment in which we built Hibernation Recon in 2016 included digital forensics tools that either had absolutely no support, extremely limited support, or seriously broken support for processing Windows hibernation files. While working on multiple cases related to both domestic and international terrorism, in which maximum exploitation of electronic evidence was crucial, we could not accept the status quo. You don’t have to take our word for it, we can show you… while working on the Turkish Odatv case, we noticed nine hits (which appeared compressed) on “securedownload” within a hibernation file:
When we processed this hibernation file in multiple digital forensics tools, we searched their output for “securedownload” and found no hits:
When we processed this hibernation file with Hibernation Recon, we found 19 hits on “securedownload” in the output:
This was only the beginning. Beyond tools which had no or extremely limited support, we found significant bugs in popular tools which advertised support, from decompression and active memory reconstruction to an “off the table” bug that we found particularly concerning and addressed with the vendor in question. While some tools have improved their support for modern Windows (8/8.1/10) hibernation files, Hibernation Recon continues to be on the only tool that offers, for example, proper exploitation of the various levels (and types) of hibernation slack.
If you like how we are pushing the limits of what is possible in digital forensics with Hibernation Recon and our other tools, please support us. Testimonials and case examples from our users, letting colleagues know about our unique features, and having your organizations purchase our tools are greatly appreciated. Arm Yourself!
Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!
Digital forensics practitioners may not be aware of the nuances of what happens when introducing various BitLocker activities into the mix of hibernation and in-file TRIM.
Once you think through the implications of what can be done not only with multiple document versions extracted from FSD files as ODC Recon has always done, but what can be done with the granular revision information that can be found within FSD files and temporary collaboration data, you should be having a “lean back in the chair” moment.
The workflow for launching virtual machines has been significantly improved in Arsenal Image Mounter v3.1.101! You will now see a single dialog box (rather than a series of prompts) which consolidates important options related to launching virtual machines.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions