Hibernation File

Overview

Evidence: Hibernation File Description: Dump hibernation file Category: Memory Platform: windows Short Name: hbr Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

When Windows hibernates, it saves the complete contents of RAM to the hibernation file (hiberfil.sys). This creates a snapshot of all running processes, kernel state, and memory contents at the time of hibernation.

The hibernation file is essentially a compressed memory dump and can be analyzed with memory forensics tools. It persists even after the system resumes from hibernation.

Data Collected

This collector gathers structured data about hibernation file.

Hibernation File Data

Field

Description

Example

Type

File type

HibernationFile

Name

File name

hiberfil.sys

SourcePath

Original file path

C:\hiberfil.sys

FilePath

Relative path in evidence

Files/hiberfil.sys

FileSize

File size in bytes

17179869184

Collection Method

This collector collects the hibernation file from:

C:\hiberfil.sys (default location)

The file is collected using driver or NTFS raw access if locked.

Forensic Value

Hibernation files provide a complete memory snapshot from a specific point in time. Investigators use this data for full memory forensic analysis, recovering historical system state, extracting credentials and keys from point of hibernation, analyzing malware present at hibernation time, and reconstructing system state from past hibernation.

PreviousGoTo Logs NextHitmanPro Logs

Last updated 3 days ago

Was this helpful?