ATTENTION: The new home of the Digital Forensics Wiki is at https://forensicswiki.xyz/. Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn

Hiberfil.sys

From ForensicsWiki
Revision as of 20:22, 27 June 2008 by Moyix (Talk | contribs) (Added information on Matt Suiche and Nicolas Ruff's work on Sandman)

Jump to: navigation, search

hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.

Although most of the data structures required to parse the file format are available in the Microsoft Windows debug symbols, the compression used (Xpress) was undocumented until it was reverse engineered by Matthieu Suiche and Nicolas Ruff. Currently, [[Sandman | http://sandman.msuiche.net/ ] is the only tool that can read the Windows hibernation file.

Later in 2007, as part of the Windows Server Protocol Program, Microsoft released documentation on the Xpress compression algorithm in the Directory Replication Service (DRS) Remote Protocol specification.