From ForensicsWiki
Jump to: navigation, search

hiberfil.sys is the file used by default by Microsoft Windows to save the machine's state as part of the hibernation process. The operating system also keeps an open file handle to this file, so no user, including the Administrator, can read the file while the system is running.

Although often presumed, the size of the hiberfil.sys is not one-to-one in size to the available, or total RAM of the machine.

The data structures required to parse the file format are available in the Microsoft Windows debug symbols, including some of the various compression methods used.

The Xpress compression was reverse engineered by Matthieu Suiche. He created with Nicolas Ruff a project called Sandman is the only open-source tool that can read and write the Windows Vista and 7 hibernation files.

In early 2008, as part of the Windows Server Protocol Program, Microsoft released documentation on the Xpress compression algorithm in the Directory Replication Service (DRS) Remote Protocol specification (section, "DecompressWin2k3"). However, the pseudocode given contains numerous errors, as documented by Matthieu Suiche in a blog entry.

Windows Version Compression
ME and earlier none
2000 LZNT1 (LZ77 variant)
Vista, 7 Xpress (LZ77 and direct2)

Hibernation Recon is a commercial digital forensics tool launched in late 2016. In addition to memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, Hibernation Recon also identifies and extracts data from the multiple levels of slack space within them.

External Links