The sources of memory dump
We can consider a memory dump during the incident response process as the main source for memory forensics. However, what if we have a powered off machine or, for any reason, we couldn't acquire the memory of the machine? The question here is do we have any other way to conduct memory forensics? Fortunately, we have a positive answer for this question in many situations. Let's see what they are.
Hibernation file
Hibernation is a power option in most operating systems, including Windows OS. In this mode, the system copies the memory, which is volatile, to a single file named hiberfil.sys
, which is located under the system root in the hard disk, which is non-volatile, and completely shuts down the machine. When the user ...
Get Practical Windows Forensics now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.