Disk: How do I know...
 
Notifications
Clear all

Disk: How do I know when the system last hibernated?

5 Posts
3 Users
0 Reactions
1,130 Views
(@elixirelixir)
New Member
Joined: 6 years ago
Posts: 4
Topic starter  

I acquired a disk image and obtain the hiberfil.sys file. How do I know when the system last hibernated?

I convert the hiberfil.sys into raw image format and I have tried using volatility to read out the imageinfo and I assume is this when the hiberfil.sys is created. Does this indicate when the system hibernates? Is there any other ways to identify the last hibernation time?

$vol.py -f hiberfil.raw –profile=Win7SP0x86 imageinfo
Volatility Foundation Volatility Framework 2.5
INFO volatility.debug Determining profile based on KDBG search…
Suggested Profile(s) Win7SP0x86, Win7SP1x86 (Instantiated with Win7SP0x86)
AS Layer1 IA32PagedMemoryPae (Kernel AS)
AS Layer2 FileAddressSpace (/tmp/hiberfil.raw)
PAE type PAE
DTB 0x185000L
KDBG 0x82d69c28L
Number of Processors 1
Image Type (Service Pack) 1
KPCR for CPU 0 0x82d6ac00L
KUSER_SHARED_DATA 0xffdf0000L
Image date and time 2012-04-04 033505 UTC+0000
Image local date and time 2012-04-03 233505 -0400


   
Quote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Last modification time of the file?


   
ReplyQuote
(@elixirelixir)
New Member
Joined: 6 years ago
Posts: 4
Topic starter  

actually it should be the one that I did before. I find out the ground truth.
Thanks anyway.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Can you share what you found?


   
ReplyQuote
nightworker
(@nightworker)
Estimable Member
Joined: 16 years ago
Posts: 134
 

you can find system hibernated time from event logs parse event log from image

https://www.tenforums.com/general-support/73957-windows-10-hibernation-event-log.html


   
ReplyQuote
Share: