The tools and techniques used for many years to analyze Microsoft Windows® hibernation files have left digital forensics experts in the dark… until now!
Hibernation Recon has been developed to not only support memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, but to properly identify and extract massive volumes of information from the multiple types (and levels) of slack space that often exist within them. Proper exploitation of hibernation files allows digital forensics experts to “look back in time” and uncover compelling evidence from Windows computers. Digital forensics experts can no longer afford to analyze electronic evidence without extracting maximum value from Windows hibernation files.
Hibernation Recon, along with all our other tools, is available as part of an affordable monthly subscription - currently, $49 per month. If Hibernation Recon is run without a license, a “Free Mode” is provided which supports the extraction of active contents from both legacy and modern Windows hibernation files. Please contact sales regarding discounts for volume licensing.
How can I run the command line interface version of Hibernation Recon?
Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec”):
What are the “Legacy” and “Modern” hibernation formats?
Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.
What are the output files created by Hibernation Recon?
||Active memory decompressed & reconstructed
||All levels of slack (Legacy format) decompressed & placed in one output file
||All levels of slack (Modern format) decompressed & placed in in one output file
|Slack (Legacy format) decompressed & placed in multiple output files by slack level
|Slack (Modern format) decompressed & placed in multiple output files by slack level
||Raw slack (Legacy format) from all slack levels placed in one output file
||Raw slack (Modern format) from all slack levels placed in one output file
||Raw slack placed in multiple output files by chunk
||Non-zero data after all valid levels of slack
||All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file
||Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records
||Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records
||Hibernation Recon log file
What can I do with the output from Hibernation Recon?
You can load decompressed and reconstructed memory (ActiveMemory.bin) into your memory forensics toolkits and run your other tools against all the output from Hibernation Recon to extract many kinds of artifacts. We will begin adding artifact recovery to the next major version of Hibernation Recon.
Do I need an Internet connection for Hibernation Recon licensing?
You only need an Internet connection for Hibernation Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.
How can I license Hibernation Recon on an air-gapped (a/k/a offline) workstation?
If you want your air-gapped workstation properly licensed for Hibernation Recon, please:
- Open Hibernation Recon and enter the license code you were given
- Upon realizing that no Internet connection is available, Hibernation Recon will save a ".LIC" file to your ProgramData\ArsenalRecon folder
- On a workstation with Internet access, go to our Offline Activation page and upload the ".LIC" file.
- Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder
Your air-gapped workstation is now ready to run Hibernation Recon!
What are some examples of problematic hibernation files?
Hibernation Recon does not currently support the processing of BitLocker, TPM-impacted, or empty (yes, we had to say that!) hibernation files. If you find that Hibernation Recon has not processed your hibernation file, please determine whether BitLocker and/or TPM is in play and whether the file contains any significant volume of non-zero data. If you are still unsure why Hibernation Recon has not processed a particular hibernation file, please contact support and we will assist you.
How can a hibernation file be zeroed out?
Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1 and 10 resume on SSDs.
What impact does Fast Boot/Fast Startup have on Windows hibernation?
Windows 8/8.1 and Windows 10 normally have “Fast Boot” or “Fast Startup” functionality (hereafter “Fast Boot”) enabled by default. Windows shutdowns on a Fast Boot enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.
What kinds of advanced NTFS metadata recovery does Hibernation Recon provide?
Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well.
How would you describe Object IDs?
NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file's $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage's The Meaning of LIFE document.
All subscription users are eligible for software updates for the duration of their subscription. Legacy license holders are eligible for updates for the duration of their SMS. We continue to work on more aggressive NTFS metadata recovery, hibernation carving and other features!