Hibr2Bin or Imageco...
 
Notifications
Clear all

Hibr2Bin or Imagecopy tool to decompress hiberfil.sys

6 Posts
5 Users
0 Likes
3,493 Views
(@btforensics)
Posts: 14
Active Member
Topic starter
 

Hi Forensic Focus Community,

I am currently researching on how I can decompress hiberfil.sys for my investigation.

I am using a tool hib2bin.exe to decompress the hiberfil.sys, however I keep on getting this message

I am pretty sure that I am in the right location. I have dumped the hibr2bin.exe tool in the C\ drive together with the hiberfil.sys

I am also familiar with volatility's imagecopy command to decompress the file because I've attended forensic course. However, when I tried to copy the hiberfil.sys file (copy and paste) to a different directory I get this error

I was wondering if I would need to slave the harddrive so I can copy the hiberfil.sys and use the imagecopy of volatility or hibr2bin.exe to decompress hiberfil.sys?

Any assistance would be appreciated.

Thank you,

 
Posted : 05/11/2016 9:39 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I have dumped the hibr2bin.exe tool in the C\ drive together with the hiberfil.sys

C\ is the location of the hiberfil.sys file currently in use by your OS!
Create a new folder, put hibr2bin.exe and your testing hiberfil.sys into this folder and try again. If this error message occurs again, stop using the hibernation feature of your OS os there is no file handle on this file any longer.

%comspec% powercfg.exe /Hibernate off
and a following reboot will stop using hibernation in general. After this, there are no handles left from SYSTEM on C\hiberfil.sys

best regards,
Robin

 
Posted : 05/11/2016 10:39 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also (JFYI)
http//reboot.pro/topic/7400-copy-locked-system-files-tis-now-possible/
http//www.forensicfocus.com/Forums/viewtopic/t=13653/

Joakim's Rawcopy
https://github.com/jschicht/RawCopy
has been fixed and is reported as working also for pagefile.sys and hyberfil.sys.

jaclaz

 
Posted : 05/11/2016 11:59 pm
(@btforensics)
Posts: 14
Active Member
Topic starter
 

HI Bunnysniper, jaclaz,

I really appreciate your help.

I used the RawCopy tool that Jaclaz provided and it works perfectly.

Joakim's Rawcopy
github.com/jschicht/RawCopy

I was able to copy the hiberfil.sys file and used hiber2bin.exe to decompress it.

Thank you for your help!

More power forensic focus!

 
Posted : 06/11/2016 1:48 pm
(@randomaccess)
Posts: 385
Reputable Member
 

if all else fails arsenal recon just released their new tool…bit more expensive than the other free tools though

 
Posted : 07/11/2016 9:56 am
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

if all else fails arsenal recon just released their new tool…bit more expensive than the other free tools though

We’re launching a new beta of Hibernation Recon today that incorporates a “Free Mode” designed to provide you with (when compared to other solutions) more reliable and efficient extraction of active contents from both legacy and modern Windows hibernation files. Free Mode will also provide statistics related to the kinds of hibernation slack encountered, NTFS INDX record recovery, etc. In other words, you may want to download and start using it now if you are not already.

Notable features when licensed include

Windows XP, Vista, 7, 8/8.1, and 10 hibernation file support
Active memory reconstruction
Identification and extraction of multiple levels of slack space
Brute force decompression of partially overwritten slack
Segregation of extracted slack based on particular hibernations
Proper handling of legacy hibernation data found in modern hibernation files
NTFS metadata recovery with human-friendly decoding
Parallel processing of multiple hibernation files

You can download the new beta with “Free Mode” functionality here

https://arsenalrecon.com/apps/hibernation-recon/

If anyone would like to see some of the cool stuff that can now be done with Windows hibernation files in person (that may cause you to open your evidence safes and start processing old evidence), I would be glad to demonstrate next week in Hong Kong (Wan Chai area), through the end of March in Boston, and the first week of April while I’m at Kaspersky’s Security Analyst Summit.

Check out this screenshot to get a feel for our madness

https://twitter.com/ArsenalArmed/status/839157107047940098

Of course, similar to how we operate with Arsenal Image Mounter - if you find any bugs, please let us know and we will prioritize killing them with utmost malice.

Mark Spencer, President
@ArsenalArmed

 
Posted : 07/03/2017 11:05 pm
Share: