Windows 7/2008 writes memory to disk when the computer goes into sleep mode. To test this, execute “powercfg /hibernate on” followed by “shutdown /h”. These commands enable the hibernate mode in the power config and force the computer to hibernate. Windows will then write memory to hiberfil.sys on the local (C:) partition.
You probably new that already. But did you know that the hiberfil.sys file can be viewed?
Check out the Volatility Framework forensics tool. Volatility has a command that converts the Windows file (hiberfil.sys) to a forensics data file (dd). The resulting bytes can be scanned and manipulated. The command is:
python \Volatility3\volatility hibinfo -f C:\hiberfil.sys -d C:\YourMemoryHere.dd
Protect your hibernating computers, folks. Your memory is open for forensics.
Posted by