Hello everybody. I'm investigating the fact of illegal penetration into the computer. The important data I found in the file is the hiberfil.sys. But, this file stores data for the year 2015., although Windows was installed in 2016. Has anyone dealt with a similar situation? How can you explain the record of data for 2015 in a file created in 2016?
I will be grateful for any help.
hibernate could have been disabled by "powercfg /h off" for example.
best regards,
Robin
First a few questions comes to my mind;
How did you find the target file (how was hiberfil.sys analyzed)?
Is this an upgraded OS (was there a previous OS)?
What do you mean by "record of data"?
What have you analyzed to get this 2015 timestamp?
hibernate could have been disabled by "powercfg /h off" for example.
best regards,
Robin
Tito, forget it. I did not read it carefully enough, i wrote rubbish. Currently no idea why the hiberfil.sys has a timestamp older than the OS itself.
@tito what if the bios/uefi or the OS date/time was set back manually ? )
Windows was installed in 2016
Fresh install over an older one?
Hey. First of all, I want to thank you for your answers, thank you!
1. The data was found by keywords.
2. The operating system was not updated, the new one installed, over the old one.
3. analyzed the data that is contained in the file hiberfil.sys. There were detected different records. Among them, for example, the update of the Chrome browser and there are timed marks for 2015.
In addition, there are ways to save files. There is specified a user name, which in the current system is not present.
@tito what if the bios/uefi or the OS date/time was set back manually ? )
Such actions are most likely logged in the event log. During the analysis, there was no data about the change in the date and time.
Windows was installed in 2016
Fresh install over an older one?
may be. But that's interesting, the file hiberfil.sys is not replaced? Only the file metadata in the file system is updated? I will conduct a test and be sure to write about the results.
Have you looked into this possibility? http//
How did you determine the install date?