Hibernation File
Overview
Section titled “Overview”Evidence: Hibernation File
Description: Dump hibernation file
Category: Memory
Platform: windows
Short Name: hbr
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”When Windows hibernates, it saves the complete contents of RAM to the hibernation file (hiberfil.sys). This creates a snapshot of all running processes, kernel state, and memory contents at the time of hibernation.
The hibernation file is essentially a compressed memory dump and can be analyzed with memory forensics tools. It persists even after the system resumes from hibernation.
Data Collected
Section titled “Data Collected”This collector gathers structured data about hibernation file.
Hibernation File Data
Section titled “Hibernation File Data”| Field | Description | Example |
|---|---|---|
Type | File type | HibernationFile |
Name | File name | hiberfil.sys |
SourcePath | Original file path | C:\hiberfil.sys |
FilePath | Relative path in evidence | Files/hiberfil.sys |
FileSize | File size in bytes | 17179869184 |
Collection Method
Section titled “Collection Method”This collector collects the hibernation file from:
C:\hiberfil.sys(default location)
The file is collected using driver or NTFS raw access if locked.
Forensic Value
Section titled “Forensic Value”Hibernation files provide a complete memory snapshot from a specific point in time. Investigators use this data for full memory forensic analysis, recovering historical system state, extracting credentials and keys from point of hibernation, analyzing malware present at hibernation time, and reconstructing system state from past hibernation.