February 6, 2018
Why did we design the Windows hibernation infographic?
You can imagine how many emails we get about Windows hibernation files since we released Hibernation Recon. We noticed some misconceptions being repeated in these emails, so we decided to address them in an infographic that the digital forensics community could use as a resource and help us improve. We consider the infographic we are launching today to be the first version, as we already have more than enough interesting information to include on the reverse side of our second version.
Were we surprised by anything we learned while working on the infographic?
Well, yes. We had thought there must be some situations in which active hibernation files could be found encrypted, particularly based on some of the sample hibernation files our customers sent us which appeared to be encrypted. After enormous amounts of testing, we realized that these “encrypted” hibernation files were quite misleading – what we were actually seeing was the result of BitLocker “decrypting” zeroes from in-file TRIMming on SSDs.
Why did we build Hibernation Recon?
The environment in which we built Hibernation Recon in 2016 included digital forensics tools that either had absolutely no support, extremely limited support, or seriously broken support for processing Windows hibernation files. While working on multiple cases related to both domestic and international terrorism, in which maximum exploitation of electronic evidence was crucial, we could not accept the status quo. You don’t have to take our word for it, we can show you… while working on the Turkish Odatv case, we noticed nine hits (which appeared compressed) on “securedownload” within a hibernation file:
When we processed this hibernation file in multiple digital forensics tools, we searched their output for “securedownload” and found no hits:
When we processed this hibernation file with Hibernation Recon, we found 19 hits on “securedownload” in the output:
This was only the beginning. Beyond tools which had no or extremely limited support, we found significant bugs in popular tools which advertised support, from decompression and active memory reconstruction to an “off the table” bug that we found particularly concerning and addressed with the vendor in question. While some tools have improved their support for modern Windows (8/8.1/10) hibernation files, Hibernation Recon continues to be on the only tool that offers, for example, proper exploitation of the various levels (and types) of hibernation slack.
If you like how we are pushing the limits of what is possible in digital forensics with Hibernation Recon and our other tools, please support us. Testimonials and case examples from our users, letting colleagues know about our unique features, and having your organizations purchase our tools are greatly appreciated. Arm Yourself!
Please support us, as we work to make maximum exploitation of electronic evidence more accessible, by learning more about the powerful and unique functionality our tools provide. You can learn more about our tools at https://ArsenalRecon.com/#products. Thank you!
We have an exciting 2021 in store for Arsenal customers. To kick things off, we are extending our educational program (basically, free licenses!) to cover law enforcement and military training.
While we recommend that Hyper-V and AIM be run on “bare metal” (particularly when launching virtual machines), we have recently heard from our customers that they have successfully run both Hyper-V and AIM within VMware.
This article will briefly summarize the features of AIM’s Free and Professional Modes, explain the requirements for running AIM, and demonstrate how to launch virtual machines and mount Volume Shadow Copies (VSCs) from AIM-mounted disk images.
Join our mailing list to arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.
or (617) 277-3625
Terms & Conditions