Hibernation Recon

HIBERNATION Recon

Hibernation Recon FAQs

System Requirements

Hibernation Recon requires Microsoft Windows 8 or later.

How can I run the command line interface version of Hibernation Recon?

Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec” from an administrative command prompt):

HibRec /HiberFill=(FullPath)
What are the "Legacy" and "Modern" hibernation formats?

Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.

What are the output files created by Hibernation Recon?

Output Filename

Description

ActiveMemory.bin

Active memory decompressed & reconstructed

DecompressedSlackLegacy.bin

All levels of slack (Legacy format) decompressed & placed in one output file

DecompressedSlackModern.bin

All levels of slack (Modern format) decompressed & placed in in one output file

DecompressedSlackLevels/
DecompressedSlackLevelXXXYLegacy.bin

Slack (Legacy format) decompressed & placed in multiple output files by slack level. The “Y” distinguishes previous Windows installations when possible.

DecompressedSlackLevels/
DecompressedSlackLevelXXXModern.bin

Slack (Modern format) decompressed & placed in multiple output files by slack level

RawSlackLegacy.bin

Raw slack (Legacy format) from all slack levels placed in one output file

RawSlackModern.bin

Raw slack (Modern format) from all slack levels placed in one output file

RawSlackChunks/RawSlackChunk(Decimal Offset)(Hex_Offset).bin

Raw slack placed in multiple output files by chunk

NonZeroAfterValidSlack.bin

Non-zero data after all valid levels of slack

AllSlack.bin

All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file

IndxI30Entries.csv

Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records

IndxObjIdOEntries.csv

Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records

HibRec.log

Hibernation Recon log file

What can I do with the output from Hibernation Recon?

You can load decompressed and reconstructed memory (ActiveMemory.bin) into memory forensics toolkits, and run other tools (bulk_extractor, PhotoRec, etc.) against both the active and slack output from Hibernation Recon to extract many kinds of artifacts.

Do I need an Internet connection for Hibernation Recon licensing?

You only need an Internet connection for Hibernation Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.

How can I license Hibernation Recon on an offline workstation?

If you want your air-gapped workstation properly licensed for Hibernation Recon, please:

  • Open Hibernation Recon and enter the license code you were given

  • Upon realizing that no Internet connection is available, Hibernation Recon will save a “.LIC” file to your ProgramData\ArsenalRecon folder

  • On a workstation with Internet access, go to our Offline Activation page and upload the “.LIC” file.

  • Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder

Your air-gapped workstation is now ready to run Hibernation Recon!

How can hibernation files be zeroed out?

Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1, 10, and 11 resumes on SSDs.

What impact does Fast Boot/Fast Startup have on Windows hibernation?

Windows 8/8.1, Windows 10, and Windows 11 normally have “Fast Boot” (Windows 8) or “Fast Startup” functionality (hereafter “Fast Startup”) enabled by default. Windows shutdowns on a Fast Startup enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.

How can I troubleshoot why a hibernation file has not been processed by Hibernation Recon?

Your hibernation file may have been zeroed out, contain an unknown memory structure, or never used for an actual hibernation. You may want to compress the hibernation file to get a quick sense of whether it has been zeroed out, and/or review its raw content. If you are still unsure why the hibernation file has not been processed in Hibernation Recon, you can provide us with the first 1mb and we will help you determine its state.

Why are certain Registry hives missing from a successfuly processed hibernation file?

As of Windows 10 Build 17134 (or maybe 17063), Microsoft added a new Registry process which is responsible for all hives other than SYSTEM and HARDWARE. The Registry process does not end up in Fast Startup hibernation, so you will no longer find the other hives there.

What kinds of advanced NTFS metadata recovery does Hibernation Recon provide?

Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well. Regarding timestamps in the Hibernation Recon output, CTime=File Create Time, ATime=File Modified Time, MTime=MFT Entry modified Time, and RTime=File Last Access Time.

How would you describe Object IDs?

NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file’s $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage’s The Meaning of LIFE document.