Skip to main content
SpringerLink
Log in

Windows 10 Hibernation File Forensics

  • Conference paper
  • First Online:
Intelligent Computing (SAI 2020)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1230))

Included in the following conference series:

Abstract

Memory forensics is an essential part of any computer forensics investigation. Main memory provides valuable evidences, which may otherwise not be retrievable from hard drive. In cases when capturing main memory image is not possible, hibernation files are good source of information. The aim of this research is to show the importance of hibernation file forensics in a computer forensics investigation. Specifically, we focus on retrieving evidential information related to the use of Facebook and Instagram. Firstly, we develop a process that can simplify the task of hibernation file forensics. The proposed process explores concepts, tools, techniques and methodologies most suitable for Windows 10 hibernation file acquisition and analysis. Subsequently, we use the proposed process to experimentally demonstrate the extraction of critical personal and confidential information related to Facebook and Instagram activities, from hibernation file. The extracted data can be used to establish a link between the suspect and the evidences.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cai, L., Sha, J., Qian, W.: Study on forensic analysis of physical memory. In: 2nd International Symposium on Computer, Communication, Control and Automation (3CA 2013), pp 221–224 (2013)

    Google Scholar 

  2. Ayers, A.L.: Windows Hibernation and Memory Forensics, A Capstone Project Submitted to the Faculty of Utica College, April 2015, UMI Number: 1586690

    Google Scholar 

  3. Singh, A., Sharma, P., Nath, R.: Role of hibernation file in memory forensics of windows 10. Int. J. Sci. Eng. Res. 7(12), 42–47 (2017), ISSN 2229-5518

    Google Scholar 

  4. Sylve, J.T., Marziale, V., Richard, G.G.: Modern windows hibernation file analysis. Dig. Invest. 20, 16–22 (2016). https://doi.org/10.1016/j.diin.2016.12.003

    Article  Google Scholar 

  5. Carvey, H.: Windows Forensic Analysis DVD Toolkit. Syngress Publishing Inc., Burlington (2007)

    Google Scholar 

  6. Carrier, B.D., Grand, J.: A hardware-based memory acquisition procedure for digital investigations. Dig. Invest. 1, 50–60 (2004)

    Article  Google Scholar 

  7. Ruff, N., Suiche, M.: Enter Sandman (why you should never go to sleep). In: PacSec Applied Security Conference (2007)

    Google Scholar 

  8. Mrdovic, S., Huseinovic, A., Zajko, E.: Combining static and live digital forensic analysis in virtual environment. In: 2009 XXII International Symposium on Information, Communication and Automation Technologies (2009). https://doi.org/10.1109/icat.2009.5348415

  9. Suiche, M.: Your favorite Memory Toolkit is back… FOR FREE! – Comae Technologies. https://blog.comae.io/your-favorite-memory-toolkit-is-back-f97072d33d5c

  10. Shariq, M., et al.: A tool for extracting static and volatile forensics artifacts of Windows 8.x Apps. IFIP Adv. Inf. Commun. Technol. Adv. Dig. Forensics XI, 462, 305–320 (2015). https://doi.org/10.1007/978-3-319-24123-4_18

  11. Singh, A., Sharma, P., Nat, R.: Role of hibernation file in memory forensics of windows 10. Int. J. Sci. Eng. Res. 7(12), 42–47 (2016)

    Google Scholar 

  12. Malin, C.H., Casey, E., Aquilina, J.M.: Memory Forensics. Malware Forensics Field Guide for Windows Systems, 93–154 (2012). https://doi.org/10.1016/b978-1-59749-472-4.00002-0. http://index-of.es/Varios-2/Malware%20Forensics%20Field%20Guide%20for%20Windows%20Systems.pdf

  13. Hörz, M. (n.d.): HxD - Freeware Hex Editor and Disk Editor. https://mh-nexus.de/en/hxd/

  14. SourgeForge. (n.d.). Foremost. http://foremost.sourceforge.net/

  15. Bulk Extractro. https://www.forensicswiki.org/wiki/Bulk_extractor

Download references

Author information

Authors and Affiliations

  1. University of North Georgia, Dahlonega, GA, 30597, USA

    Ahmad Ghafarian & Deniz Keskin

Authors
  1. Ahmad Ghafarian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Deniz Keskin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ahmad Ghafarian .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

  2. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Supriya Kapoor

  3. The Science and Information (SAI) Organization, Bradford, West Yorkshire, UK

    Rahul Bhatia

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ghafarian, A., Keskin, D. (2020). Windows 10 Hibernation File Forensics. In: Arai, K., Kapoor, S., Bhatia, R. (eds) Intelligent Computing. SAI 2020. Advances in Intelligent Systems and Computing, vol 1230. Springer, Cham. https://doi.org/10.1007/978-3-030-52243-8_31

Download citation

Publish with us

Policies and ethics

Search

Navigation