±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32098
New Yesterday: 0 Visitors: 123

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

hiberfil.sys in windows 10

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: hiberfil.sys in windows 10

Post Posted: Mon Mar 20, 2017 7:11 am

- passcodeunlock
@tito: what if the bios/uefi or the OS date/time was set back manually ? Smile

Such actions are most likely logged in the event log. During the analysis, there was no data about the change in the date and time.  

tito
Member
 
 
  

Re: hiberfil.sys in windows 10

Post Posted: Mon Mar 20, 2017 7:15 am

- MDCR
- tito
Windows was installed in 2016


Fresh install over an older one?

may be. But that's interesting, the file hiberfil.sys is not replaced? Only the file metadata in the file system is updated? I will conduct a test and be sure to write about the results.  

tito
Member
 
 
  

Re: hiberfil.sys in windows 10

Post Posted: Mon Mar 20, 2017 9:13 am

Have you looked into this possibility? az4n6.blogspot.nl/2017...-lies.html

How did you determine the install date?  

OM602
Member
 
 
  

Re: hiberfil.sys in windows 10

Post Posted: Mon Mar 20, 2017 9:14 am

What you might be seeing is a hibernation file with 1 current memory snapshot + traces of earlier hibernations. In addition to that you might also be seeing traces of data from unallocated on the volume from the time at which the current hiberfil.sys (this current OS) was created. Those hits you mention are likely data from the previous OS (but not necessarily). Based on your description it sounds as the data with the 2015 reference is from the previous OS. The possible fact that it was uncompressed also supports previous OS theory. However the current memory snapshot might also contain uncompressed pages, so it is not possible to say for sure with this little information. AFAIK the only tool that can analyze the hibernation file into such detail is; arsenalrecon.com/apps/...ion-recon/

Could be worth a shot if you need to know what is what within that file.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: hiberfil.sys in windows 10

Post Posted: Mon Mar 20, 2017 1:09 pm

- tito
- MDCR
- tito
Windows was installed in 2016


Fresh install over an older one?

may be. But that's interesting, the file hiberfil.sys is not replaced? Only the file metadata in the file system is updated? I will conduct a test and be sure to write about the results.


If you look there is probably many things left untouched by such a reinstall. While you're at it look at pagefile.sys as well. Probably not (re)created as well during reinstall.

When designing operative systems, no consideration is given to forensic consistency.

- tito
- passcodeunlock
@tito: what if the bios/uefi or the OS date/time was set back manually ? Smile

Such actions are most likely logged in the event log. During the analysis, there was no data about the change in the date and time.


Yes, there are clearly defined eventlog IDs for this - if it is changed inside the OS. If it is changed in a boot menu, it is not.  

MDCR
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 2 of 2
Go to page Previous  1, 2