Hibernation Recon

HIBERNATION Recon

Look Back in Time

Advanced Microsoft Windows® Hibernation Forensics

The exploitation of Windows hibernation files to “look back in time” and uncover compelling evidence is crucial to digital forensics practitioners. Hibernation Recon not only supports active memory reconstruction from Windows XP, Vista, 7, 8/8.1, 10, and 11 hibernation files, but also extracts massive volumes of information from the multiple types (and levels) of slack space that may exist within them. Additional features of Hibernation Recon include the automatic recovery of valuable NTFS metadata and parallel processing of multiple hibernation files. Digital forensics practitioners cannot afford to analyze electronic evidence without extracting maximum value from Windows hibernation files.

Hibernation Recon at a Glance

The tools and techniques used for years to analyze Windows hibernation files have left digital forensics experts in the dark… until now!

Hibernation files from three different Windows versions processed simultaneously

Valuable hibernation slack from three different Windows installations in a high-stakes case

Hibernation Recon Features

Hibernation Recon includes both free (Free Mode) and paid (Professional Mode) features.

Features

  • Windows XP, Vista, 7, 8/8.1, 10, and 11 hibernation file support (Free Mode)

  • Active memory reconstruction (Free Mode)

  • Extraction of multiple types (and levels) of slack space (Professional Mode)

  • Brute force decompression of partially overwritten slack (Professional Mode)

  • Proper handling of legacy within modern hibernation data (Professional Mode)

 

  • Segregation of extracted slack based on particular hibernations (Professional Mode)

  • Ability to distinguish legacy hibernation data from previous Windows installations (Professional Mode)

  • Automatic recovery of valuable NTFS metadata (Professional Mode)

  • Parallel processing of multiple hibernation files (Professional Mode)

Latest Features
Hibernation Recon FAQs

Our testimonials are compelling!

Able To Continue My Analysis

"Hibernation Recon helped me determine that a Windows hibernation file (hiberfil.sys), exported from a BitLocker-protected disk image by a very popular digital forensics tool, was corrupt. While troubleshooting the situation, I used Arsenal Image Mounter (rather than the tool I used previously) to mount the same disk image and then exported the hibernation file… which was now perfectly intact! I ran Hibernation Recon, this time against the intact hibernation file exported by AIM, and was able to continue my analysis."

Martin Siefert
Proactive Discovery

From Hibernation File to Memory Forensics

"Due to an insufficient RAM capture from a Windows 10 machine, we had to look at using a popular memory forensics suite to analyse the hibernation file (hiberfil.sys). Due to issues encountered when trying to do this analysis, I contacted one of the memory forensics suite’s developers… who confirmed the suite is only capable of dealing with hibernation files from XP through Windows 7. He subsequently went on to suggest using a tool called Hibernation Recon, which claims to support decompression for later Windows versions. We used Hibernation Recon’s “Free Mode” and were able to obtain a viable memory dump capable of analysing within other tools, including the suite in question."

D/Sgt Martin McDonagh
Metropolitan Police Cybercrime Unit

More Testimonials

Unleash Hibernation Recon

Buy an Arsenal license and choose a subscription length (see the increasing discounts!) that works best for you. Want to try Hibernation Recon first? Download it now and use its free functionality or email sales to evaluate Professional Mode.

1 Year Plan
$756
~ $63/mo | Save 3%

    • Email Support

    • Purchase Annually

    • Locked-in Discount

Buy Now

3 Year Plan

$2,129

~ $59/mo | Save 9%

5 Year Plan

$3,315

~ $55/mo | Save 15%

View Pricing & Plan Details
Prices shown in USD and without tax.