Join Us!

hiberfil.sys in win...
 
Notifications
Clear all

hiberfil.sys in windows 10  

  RSS
tito
 tito
(@tito)
New Member

Hello everybody. I'm investigating the fact of illegal penetration into the computer. The important data I found in the file is the hiberfil.sys. But, this file stores data for the year 2015., although Windows was installed in 2016. Has anyone dealt with a similar situation? How can you explain the record of data for 2015 in a file created in 2016?
I will be grateful for any help.

Quote
Posted : 17/03/2017 9:37 pm
Bunnysniper
(@bunnysniper)
Active Member

hibernate could have been disabled by "powercfg /h off" for example.

best regards,
Robin

ReplyQuote
Posted : 18/03/2017 12:57 am
joakims
(@joakims)
Active Member

First a few questions comes to my mind;
How did you find the target file (how was hiberfil.sys analyzed)?
Is this an upgraded OS (was there a previous OS)?
What do you mean by "record of data"?
What have you analyzed to get this 2015 timestamp?

ReplyQuote
Posted : 18/03/2017 2:11 am
Bunnysniper
(@bunnysniper)
Active Member

hibernate could have been disabled by "powercfg /h off" for example.

best regards,
Robin

Tito, forget it. I did not read it carefully enough, i wrote rubbish. Currently no idea why the hiberfil.sys has a timestamp older than the OS itself.

ReplyQuote
Posted : 19/03/2017 12:25 am
passcodeunlock
(@passcodeunlock)
Senior Member

@tito what if the bios/uefi or the OS date/time was set back manually ? )

ReplyQuote
Posted : 19/03/2017 1:41 am
MDCR
 MDCR
(@mdcr)
Active Member

Windows was installed in 2016

Fresh install over an older one?

ReplyQuote
Posted : 19/03/2017 11:43 am
tito
 tito
(@tito)
New Member

Hey. First of all, I want to thank you for your answers, thank you!
1. The data was found by keywords.
2. The operating system was not updated, the new one installed, over the old one.
3. analyzed the data that is contained in the file hiberfil.sys. There were detected different records. Among them, for example, the update of the Chrome browser and there are timed marks for 2015.
In addition, there are ways to save files. There is specified a user name, which in the current system is not present.

ReplyQuote
Posted : 20/03/2017 5:07 pm
tito
 tito
(@tito)
New Member

@tito what if the bios/uefi or the OS date/time was set back manually ? )

Such actions are most likely logged in the event log. During the analysis, there was no data about the change in the date and time.

ReplyQuote
Posted : 20/03/2017 5:11 pm
tito
 tito
(@tito)
New Member

Windows was installed in 2016

Fresh install over an older one?

may be. But that's interesting, the file hiberfil.sys is not replaced? Only the file metadata in the file system is updated? I will conduct a test and be sure to write about the results.

ReplyQuote
Posted : 20/03/2017 5:15 pm
OM602
(@om602)
New Member

Have you looked into this possibility? http//az4n6.blogspot.nl/2017/02/when-windows-lies.html

How did you determine the install date?

ReplyQuote
Posted : 20/03/2017 7:13 pm
joakims
(@joakims)
Active Member

What you might be seeing is a hibernation file with 1 current memory snapshot + traces of earlier hibernations. In addition to that you might also be seeing traces of data from unallocated on the volume from the time at which the current hiberfil.sys (this current OS) was created. Those hits you mention are likely data from the previous OS (but not necessarily). Based on your description it sounds as the data with the 2015 reference is from the previous OS. The possible fact that it was uncompressed also supports previous OS theory. However the current memory snapshot might also contain uncompressed pages, so it is not possible to say for sure with this little information. AFAIK the only tool that can analyze the hibernation file into such detail is; https://arsenalrecon.com/apps/hibernation-recon/

Could be worth a shot if you need to know what is what within that file.

ReplyQuote
Posted : 20/03/2017 7:14 pm
MDCR
 MDCR
(@mdcr)
Active Member

Windows was installed in 2016

Fresh install over an older one?

may be. But that's interesting, the file hiberfil.sys is not replaced? Only the file metadata in the file system is updated? I will conduct a test and be sure to write about the results.

If you look there is probably many things left untouched by such a reinstall. While you're at it look at pagefile.sys as well. Probably not (re)created as well during reinstall.

When designing operative systems, no consideration is given to forensic consistency.

@tito what if the bios/uefi or the OS date/time was set back manually ? )

Such actions are most likely logged in the event log. During the analysis, there was no data about the change in the date and time.

Yes, there are clearly defined eventlog IDs for this - if it is changed inside the OS. If it is changed in a boot menu, it is not.

ReplyQuote
Posted : 20/03/2017 11:09 pm
Share: