/ Insights

Windows Hibernation Infographic

February 6th, 2018
Mark Spencer

Why did we design the Windows hibernation infographic?

You can imagine how many emails we get about Windows hibernation files since we released Hibernation Recon. We noticed some misconceptions being repeated in these emails, so we decided to address them in an infographic that the digital forensics community could use as a resource and help us improve. We consider the infographic we are launching today to be the first version, as we already have more than enough interesting information to include on the reverse side of our second version.

Were we surprised by anything we learned while working on the infographic?

Well, yes. We had thought there must be some situations in which active hibernation files could be found encrypted, particularly based on some of the sample hibernation files our customers sent us which appeared to be encrypted. After enormous amounts of testing, we realized that these “encrypted” hibernation files were quite misleading – what we were actually seeing was the result of BitLocker “decrypting” zeroes from in-file TRIMming on SSDs.

Why did we build Hibernation Recon?

The environment in which we built Hibernation Recon in 2016 included digital forensics tools that either had absolutely no support, extremely limited support, or seriously broken support for processing Windows hibernation files. While working on multiple cases related to both domestic and international terrorism, in which maximum exploitation of electronic evidence was crucial, we could not accept the status quo. You don’t have to take our word for it, we can show you… while working on the Turkish Odatv case, we noticed nine hits (which appeared compressed) on “securedownload” within a hibernation file:

When we processed this hibernation file in multiple digital forensics tools, we searched their output for “securedownload” and found no hits:

When we processed this hibernation file with Hibernation Recon, we found 19 hits on “securedownload” in the output:

This was only the beginning. Beyond tools which had no or extremely limited support, we found significant bugs in popular tools which advertised support, from decompression and active memory reconstruction to an “off the table” bug that we found particularly concerning and addressed with the vendor in question. While some tools have improved their support for modern Windows (8/8.1/10) hibernation files, Hibernation Recon continues to be on the only tool that offers, for example, proper exploitation of the various levels (and types) of hibernation slack.

If you like how we are pushing the limits of what is possible in digital forensics with Hibernation Recon and our other tools, please support us. Testimonials and case examples from our users, letting colleagues know about our unique features, and having your organizations purchase our tools are greatly appreciated. Arm Yourself!

Published in: Hibernation Recon

Join the List

Arm yourself with updates about Arsenal tools, training, and research. Our mailing list is double opt-in so you will need to check your email and confirm your subscription before receiving our mailings.