Hibernation Recon requires Microsoft Windows 8 or later.
Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec” from an administrative command prompt):
Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.
Active memory decompressed & reconstructed
All levels of slack (Legacy format) decompressed & placed in one output file
All levels of slack (Modern format) decompressed & placed in in one output file
Slack (Legacy format) decompressed & placed in multiple output files by slack level. The “Y” distinguishes previous Windows installations when possible.
Slack (Modern format) decompressed & placed in multiple output files by slack level
Raw slack (Legacy format) from all slack levels placed in one output file
Raw slack (Modern format) from all slack levels placed in one output file
Raw slack placed in multiple output files by chunk
Non-zero data after all valid levels of slack
All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file
Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records
Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records
Hibernation Recon log file
You can load decompressed and reconstructed memory (ActiveMemory.bin) into memory forensics toolkits, and run other tools (bulk_extractor, PhotoRec, etc.) against both the active and slack output from Hibernation Recon to extract many kinds of artifacts.
You only need an Internet connection for Hibernation Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.
If you want your air-gapped workstation properly licensed for Hibernation Recon, please:
Open Hibernation Recon and enter the license code you were given
Upon realizing that no Internet connection is available, Hibernation Recon will save a “.LIC” file to your ProgramData\ArsenalRecon folder
On a workstation with Internet access, go to our Offline Activation page and upload the “.LIC” file.
Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder
Your air-gapped workstation is now ready to run Hibernation Recon!
Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1, 10, and 11 resumes on SSDs.
Windows 8/8.1, Windows 10, and Windows 11 normally have “Fast Boot” (Windows 8) or “Fast Startup” functionality (hereafter “Fast Startup”) enabled by default. Windows shutdowns on a Fast Startup enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.
Your hibernation file may have been zeroed out, contain an unknown memory structure, or never used for an actual hibernation. You may want to compress the hibernation file to get a quick sense of whether it has been zeroed out, and/or review its raw content. If you are still unsure why the hibernation file has not been processed in Hibernation Recon, you can provide us with the first 1mb and we will help you determine its state.
As of Windows 10 Build 17134 (or maybe 17063), Microsoft added a new Registry process which is responsible for all hives other than SYSTEM and HARDWARE. The Registry process does not end up in Fast Startup hibernation, so you will no longer find the other hives there.
Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well. Regarding timestamps in the Hibernation Recon output, CTime=File Create Time, ATime=File Modified Time, MTime=MFT Entry modified Time, and RTime=File Last Access Time.
NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file’s $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage’s The Meaning of LIFE document.