Hibernation File

With Windows 2000, XP, Vista, and Windows 7 allowing the computer to “hibernate” is an option. For a machine to power off and go to sleep and yet come back to life at the precise point where it went to sleep, the contents of RAM must be written to a file. Hence, you have the hibernation file, named hiberfil.sys, which is located in the root of the system drive.

Because the total contents of RAM are written to this file, this file will be the size of your system’s RAM memory. If the computer has never been in a hibernation mode, the file will still be the same size as your system RAM but will be filled with 00h characters. Once it has been in the hibernation mode, the contents will reflect the last time the machine was in hibernation ...

Get EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

EnCE EnCase Computer Forensics: The Official EnCase Certified Examiner Study Guide, 3rd Edition by

Hibernation File

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly