Restoring from previous hibernation file?

[kharl]

Hello guys!
I know this is an old discussion, but all the talk i have sen about it are more than 8 years old.
Id like to know if anyone has heard of anything new about this i resume my computer from hibernation then i accidentally put it to sleep then i did removed the battery (because i thought it was hibernating) and when i turn it on, surprise, a new session and i said, ops!
i quickly went to my hibernation and page file and they still have the modified date of the last successful hibernation and then did a copy of them to a safe location.


btw, i am only interested in the unsaved notepad files
What can i do?
(help

)

 

[SIW2]

Powerful New Version of Digital Forensics Tool Hibernation Recon Launched -- Arsenal Recon | PRLog

https://www.cct.lsu.edu/~golden/Papers/sylvehiber.pdf

 

[kharl]

https://www.cct.lsu.edu/~golden/Papers/sylvehiber.pdf

any comment?

 

[SIW2]

forensics

Powerful New Version of Digital Forensics Tool Hibernation Recon Launched -- Arsenal Recon | PRLog

The [ open source ] Volatility Framework, found online at http://code.google.com/p/volatility/, can provide you access to the contents of a Windows hibernation file and allow you to analyze it just as if it were a memory dump. In order to install the Volatility Framework on your system, consult the Volatility Framework wiki for the appropriate instructions (as of the time of this writing, Jamie Levy, a volunteer with the Volatility project, has graciously compiled detailed installation instructions for version 1.4 of the framework).

Release Downloads | volatilityfoundation

Hibernation File - an overview | ScienceDirect Topics

 

[kharl]

it looks promising

- - - Updated - - -

and i am kind of lost, still reading, i need phyton to make validity to work right?

- - - Updated - - -

have no idea how to use volatility, i installed phyton and run the exe file of volatility but i see nothing installed

 

[SIW2]

Re the hiberfile - as far as I know, none of the regulars here are forensic analysts.

I dont know if it might have been possible to recover your notepad file from the disk using well known data recovery tools. Probably less likely now you have been using that drive.

You would need to ask on a forensics forum.

 

[kharl]

Re the hiberfile - as far as I know, none of the regulars here are forensic analysts.

I dont know if it might have been possible to recover your notepad file from the disk using well known data recovery tools. Probably less likely now you have been using that drive.

You would need to ask on a forensics forum.

i was about to ask you if you know how to use it lol

i have nice recovery tools installed BUT the note pad were unsaved

 

[LMiller7]

It should be possible to access the contents of the hibernation file but there are complications. While Windows is running the pagefile and hibernation file are locked for exclusive system access. No application access is allowed. You would have to access the hibernation file from another OS, such as a live Linux drive, or use special software. I have nor done this.

You will not be able to restore a previous session from the hibernation file. This is by design. When the system is put into hibernation a special signature is written to the hibernation file to mark it as valid. When the computer is later started the hibernation file is checked for a valid signature. If present a resume from hibernation is done, otherwise a normal startup. As part of the restore process the signature is removed. This ensures that the hibernation file cannot be reused. I won't go into the details but restoring from a previously used hibernation file is highly likely to result in data corruption, and/or a system crash. That is why it is prevented.

 

[kharl]

I am having hard time contacting the people of Arsenal for some questions about Hibernation Recoon but no luck