±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34489
New Yesterday: 1 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Post Posted: Sat Nov 05, 2016 4:39 pm

Hi Forensic Focus Community,

I am currently researching on how I can decompress hiberfil.sys for my investigation.

I am using a tool hib2bin.exe to decompress the hiberfil.sys, however I keep on getting this message:


I am pretty sure that I am in the right location. I have dumped the hibr2bin.exe tool in the C:\ drive together with the hiberfil.sys


I am also familiar with volatility's imagecopy command to decompress the file because I've attended forensic course. However, when I tried to copy the hiberfil.sys file (copy and paste) to a different directory I get this error:


I was wondering if I would need to slave the harddrive so I can copy the hiberfil.sys and use the imagecopy of volatility or hibr2bin.exe to decompress hiberfil.sys?

Any assistance would be appreciated.

Thank you,  

btforensics
Member
 
 
  

Re: Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Post Posted: Sat Nov 05, 2016 5:39 pm

- btforensics
I have dumped the hibr2bin.exe tool in the C:\ drive together with the hiberfil.sys


C:\ is the location of the hiberfil.sys file currently in use by your OS!
Create a new folder, put hibr2bin.exe and your testing hiberfil.sys into this folder and try again. If this error message occurs again, stop using the hibernation feature of your OS os there is no file handle on this file any longer.

%comspec% powercfg.exe /Hibernate off
and a following reboot will stop using hibernation in general. After this, there are no handles left from SYSTEM on C:\hiberfil.sys

best regards,
Robin  

Bunnysniper
Senior Member
 
 
  

Re: Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Post Posted: Sat Nov 05, 2016 6:59 pm

Also (JFYI):
reboot.pro/topic/7400-...-possible/
www.forensicfocus.com/...c/t=13653/

Joakim's Rawcopy:
github.com/jschicht/RawCopy
has been fixed and is reported as working also for pagefile.sys and hyberfil.sys.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Post Posted: Sun Nov 06, 2016 8:48 am

HI Bunnysniper, jaclaz,

I really appreciate your help.

I used the RawCopy tool that Jaclaz provided and it works perfectly.

Joakim's Rawcopy:
github.com/jschicht/RawCopy

I was able to copy the hiberfil.sys file and used hiber2bin.exe to decompress it.

Thank you for your help!

More power forensic focus!  

btforensics
Member
 
 
  

Re: Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Post Posted: Mon Nov 07, 2016 4:56 am

if all else fails arsenal recon just released their new tool...bit more expensive than the other free tools though  

randomaccess
Senior Member
 
 
  

Re: Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

Post Posted: Tue Mar 07, 2017 6:05 pm

- randomaccess
if all else fails arsenal recon just released their new tool...bit more expensive than the other free tools though


We’re launching a new beta of Hibernation Recon today that incorporates a “Free Mode” designed to provide you with (when compared to other solutions) more reliable and efficient extraction of active contents from both legacy and modern Windows hibernation files. Free Mode will also provide statistics related to the kinds of hibernation slack encountered, NTFS INDX record recovery, etc. In other words, you may want to download and start using it now if you are not already.

Notable features when licensed include:

Windows XP, Vista, 7, 8/8.1, and 10 hibernation file support
Active memory reconstruction
Identification and extraction of multiple levels of slack space
Brute force decompression of partially overwritten slack
Segregation of extracted slack based on particular hibernations
Proper handling of legacy hibernation data found in modern hibernation files
NTFS metadata recovery with human-friendly decoding
Parallel processing of multiple hibernation files

You can download the new beta with “Free Mode” functionality here:

arsenalrecon.com/apps/...ion-recon/

If anyone would like to see some of the cool stuff that can now be done with Windows hibernation files in person (that may cause you to open your evidence safes and start processing old evidence), I would be glad to demonstrate next week in Hong Kong (Wan Chai area), through the end of March in Boston, and the first week of April while I’m at Kaspersky’s Security Analyst Summit.

Check out this screenshot to get a feel for our madness:

twitter.com/ArsenalArm...7047940098

Of course, similar to how we operate with Arsenal Image Mounter - if you find any bugs, please let us know and we will prioritize killing them with utmost malice.

Mark Spencer, President
@ArsenalArmed  

ArsenalConsulting
Member
 
 

Page 1 of 1