HIBERNATION Recon
Hibernation Recon Testimonials
Able To Continue My Analysis
"Hibernation Recon helped me determine that a Windows hibernation file (hiberfil.sys), exported from a BitLocker-protected disk image by a very popular digital forensics tool, was corrupt. While troubleshooting the situation, I used Arsenal Image Mounter (rather than the tool I used previously) to mount the same disk image and then exported the hibernation file… which was now perfectly intact! I ran Hibernation Recon, this time against the intact hibernation file exported by AIM, and was able to continue my analysis."
Martin Siefert
Proactive Discovery
From Hibernation File to Memory Forensics
"Due to an insufficient RAM capture from a Windows 10 machine, we had to look at using a popular memory forensics suite to analyse the hibernation file (hiberfil.sys). Due to issues encountered when trying to do this analysis, I contacted one of the memory forensics suite’s developers… who confirmed the suite is only capable of dealing with hibernation files from XP through Windows 7. He subsequently went on to suggest using a tool called Hibernation Recon, which claims to support decompression for later Windows versions. We used Hibernation Recon’s “Free Mode” and were able to obtain a viable memory dump capable of analysing within other tools, including the suite in question."
D/Sgt Martin McDonagh
Metropolitan Police Cybercrime Unit
Hibernation Slack and Critical Forensic Artifacts
“Hibernation Recon has become DoD’s must-have tool for extracting digital artifacts from Windows hibernation files. Not only does Hibernation Recon properly reconstruct active memory for all versions of Windows when other tools fail, it is the only tool that extracts various types of “slack space”, which has yielded critical forensic artifacts for DoD’s foreign intelligence mission that could not have been obtained any other way.”
United States Department of Defense
Found Skype Chat Remnants In Hibernation Slack
“Hibernation Recon allowed us to determine that remnants of a Skype chat involving child pornography existed in hiberfil.sys slack space (related to a previous hibernation) and to correct the date and time related to those remnants provided by another tool. Within the recovered chat the sender discussed not only possessing illegal material, but having over 70GB more to send, which was important to obtaining a search warrant.”
Torben Strand
Special Consultant, MSc, Danish National Police Cyber Crime Center (NC3)
Other Tools Missed Hibernation Data
“Hibernation Recon gives us the ability to quickly and accurately recover data from hibernation files missed by other tools. Output is very descriptive and helps us better understand the recovered data. Hibernation Recon will be finding a permanent place in our workflow.”
Peter Kohler, Esq.
Digital Forensics and eDiscovery at Evidox Corporation