hiberfil.sys
What is hiberfil.sys?
hiberfil.sysThe compressed Windows hibernation file that stores a near-complete snapshot of physical memory at hibernation time, providing forensic access to RAM contents from a powered-off system.
When Windows hibernates or performs a Fast Startup shutdown, the kernel writes a compressed image of physical memory to C:\hiberfil.sys before powering off. The file uses Xpress-Huffman compression and contains process lists, network connections, loaded modules, kernel structures, and userland data exactly as they existed at hibernation. Forensic analysts decompress hiberfil.sys with tools such as Volatility's hibinfo, hibr2bin, or Hibernation Recon, then treat the resulting raw image like a memory dump. This is especially useful when the host is encountered powered-off: it yields evidence about processes, injected code, and credentials that would otherwise be unrecoverable. Modern Windows often uses Hiberboot, so even normal shutdowns can leave a usable hiberfil.
● Examples
- 01
Reconstructing a live malware process tree from hiberfil.sys after a laptop was seized in its sleeve.
- 02
Extracting plaintext SSH session keys from kernel memory captured during the last hibernation.
● Frequently asked questions
What is hiberfil.sys?
The compressed Windows hibernation file that stores a near-complete snapshot of physical memory at hibernation time, providing forensic access to RAM contents from a powered-off system. It belongs to the Forensics & IR category of cybersecurity.
What does hiberfil.sys mean?
The compressed Windows hibernation file that stores a near-complete snapshot of physical memory at hibernation time, providing forensic access to RAM contents from a powered-off system.
How does hiberfil.sys work?
When Windows hibernates or performs a Fast Startup shutdown, the kernel writes a compressed image of physical memory to C:\hiberfil.sys before powering off. The file uses Xpress-Huffman compression and contains process lists, network connections, loaded modules, kernel structures, and userland data exactly as they existed at hibernation. Forensic analysts decompress hiberfil.sys with tools such as Volatility's hibinfo, hibr2bin, or Hibernation Recon, then treat the resulting raw image like a memory dump. This is especially useful when the host is encountered powered-off: it yields evidence about processes, injected code, and credentials that would otherwise be unrecoverable. Modern Windows often uses Hiberboot, so even normal shutdowns can leave a usable hiberfil.
How do you defend against hiberfil.sys?
Defences for hiberfil.sys typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for hiberfil.sys?
Common alternative names include: Hibernation file, Windows hibernation image.
● Related terms
- forensics-ir№ 787
pagefile.sys
The Windows virtual-memory swap file on the system volume that can contain fragments of process memory, including credentials, keys, command lines, and decrypted payloads.
- forensics-ir№ 766
Order of Volatility
The acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 677
MFT (Master File Table)
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.