Hi all,
I'm working on a case at the moment where some particularly pertinent gmail fragments were found in hiberfil.sys (found via keyword searching in FTK).
In order to analyse the information more closely, and to hopefully get more context, I purchased X-Ways forensics because it can decompress the hibernation file.
After learning my way around X-Ways I was able to decompress the file. However, I can't really find any kind of structure nor can I find the gmail fragments I was particularly interested in.
My question is then, has anyone successfully decompressed a hiberfil.sys file and if so, what did it look like? Also, does anyone have any ideas as to why FTK would find these fragments and not X-Ways?
Thank you in advance for your help.
I haven't used it personally, but Sandman could be an option for you…
http//sandman.msuiche.net/
I would suggest that you pursue Volatility
Thanks for your replies so far. I should mention that the hiberfil.sys file was taken from a forensic image of the hard drive and all my processing has been performed on this image.
I understand that the contents of the hibernation file is difficult to define. I believe a previous poster refers to searching the hibernation file as "dumpster diving" which I think is quite apt.
I guess what I want to verify is that I have decompressed the file properly and the reason I can't find any further information is because of the nature of the file and not my process. Does anyone know if there is a string, header, formatting, structure etc that each hibernation file has that can only be seen once it is decompressed?
Thanks again.
I understand that the contents of the hibernation file is difficult to define. I believe a previous poster refers to searching the hibernation file as "dumpster diving" which I think is quite apt.
I don't think that I can agree with that. That file is a RAM dump at the time that the file was created and can include some very valuable information from that point in time.
I guess what I want to verify is that I have decompressed the file properly and the reason I can't find any further information is because of the nature of the file and not my process. Does anyone know if there is a string, header, formatting, structure etc that each hibernation file has that can only be seen once it is decompressed?
Why not use Volatility and this
http//
It seems that not every hibernation file is compressed. I encountered one from a Vista home (32) system, and was able to carve more than than 1,000 HTML files from that raw, hiberfil.sys. I learned from a colleague at X-Ways that we can grep for the string, \x81\x81xpress in the hiberfil.sys - each 64MB memory buffer is preceded by such a signature - if we don't find it, the file is not compressed.