Hibernation Recon

The tools and techniques used for many years to analyze Microsoft Windows® hibernation files have left digital forensics experts in the dark… until now!

Hibernation Recon has been developed to not only support memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, but to properly identify and extract massive volumes of information from the multiple levels of slack space within them. As the adoption of Cloud technologies and solid-state storage increases, the exploitation of hibernation files to “look back in time” and uncover compelling evidence from Windows computers becomes even more important. Digital forensics experts can no longer afford to analyze electronic evidence without extracting maximum value from Windows hibernation files.

Features

  • Windows XP, Vista, 7, 8/8.1, and 10 hibernation file support
  • Active memory reconstruction
  • Identification and extraction of multiple levels of slack space
  • Brute force decompression of partially overwritten slack
  • Segregation of extracted slack based on particular hibernations
  • Proper handling of legacy hibernation data found in modern hibernation files

Requirements

REGISTRYRECON requires Microsoft Windows 8 or later.

FAQs

How can I run the command line interface version of Hibernation Recon?

Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec”):HibRec /HiberFill=(FullPath)

What are the “Legacy” and “Modern” hibernation formats?

Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.

What are the output files created by Hibernation Recon?

hibernation-recon-table

What can I do with the output from Hibernation Recon?

You can load decompressed and reconstructed memory (ActiveMemory.bin) into your memory forensics toolkits and run your other tools against all the output from Hibernation Recon to extract many kinds of artifacts. We will begin adding artifact recovery to the next major version of Hibernation Recon.

Do I need an Internet connection for Hibernation Recon licensing?

You only need an Internet connection for Hibernation Recon once – when you initially evaluate or enter your activation code. If you cannot connect to the Internet, see the air gapped workstation instructions below.

How can I evaluate and license Hibernation Recon on an air gapped workstation?

If you would like to evaluate Hibernation Recon on an air gapped workstation, please contact sales for an evaluation code.

If you have received an evaluation code or purchased Hibernation Recon and want to get your air gapped workstation properly licensed, please:

  • Open Hibernation Recon and enter the evaluation or activation code you were given
  • Upon realizing that no Internet connection is available, Hibernation Recon will save a “.LIC” file to your Hibernation Recon folder
  • On a workstation with Internet access, go to our Offline Activation page and upload the “.LIC” file.
  • Finally, copy the CDM file you receive to your Hibernation Recon folder

Your air gapped workstation is now ready to run Hibernation Recon!

What are some examples of problematic hibernation files?

Hibernation Recon does not currently support the processing of TPM-impacted or empty (yes, we had to say that!) hibernation files. If you find that Hibernation Recon has not processed your hibernation file, please determine whether TPM is in play and whether the file contains any significant volume of non-zero data. If you are still unsure why Hibernation Recon has not processed a particular hibernation file, please contact support and we will assist you.

2017-09-01T14:51:02+00:00