Latest Versions:   Arsenal Image Mounter 2.4.26  |   Hibernation Recon  |   Registry Recon  |   Purchase
Arm Yourself & Stay Informed!
Thank you! Your information has been saved and we will keep you informed of news and updates regarding Arsenal Recon and our products.

*required field

The information you submit here will be used to send you Arsenal Recon updates (for example - notification of new software, Insight posts, etc).


The tools and techniques used for many years to analyze Microsoft Windows® hibernation files have left digital forensics experts in the dark… until now!

Hibernation Recon has been developed to not only support memory reconstruction from Windows XP, Vista, 7, 8/8.1, and 10 hibernation files, but to properly identify and extract massive volumes of information from the multiple types (and levels) of slack space that often exist within them. Proper exploitation of hibernation files allows digital forensics experts to “look back in time” and uncover compelling evidence from Windows computers. Digital forensics experts can no longer afford to analyze electronic evidence without extracting maximum value from Windows hibernation files.

Hibernation Recon, along with all our other tools, is available as part of an affordable monthly subscription - currently, $49 per month. If Hibernation Recon is run without a license, a “Free Mode” is provided which supports the extraction of active contents from both legacy and modern Windows hibernation files. Please contact sales regarding discounts for volume licensing.


  • Windows XP, Vista, 7, 8/8.1, and 10 hibernation file support
  • Active memory reconstruction
  • Identification and extraction of multiple levels of slack space
  • Brute force decompression of partially overwritten slack
  • Segregation of extracted slack based on particular hibernations
  • Proper handling of legacy hibernation data found in modern hibernation files
  • NTFS metadata recovery with human-friendly decoding
  • Parallel processing of multiple hibernation files


Hibernationrecon requires Microsoft Windows 8 or later. 


How can I run the command line interface version of Hibernation Recon?

Running Hibernation Recon from the Windows console is quite simple (you can see all switches by simply running “HibRec”):

HibRec /HiberFill=(FullPath)

What are the “Legacy” and “Modern” hibernation formats?

Legacy hibernation format, used by Windows XP, Vista, and 7, applies XPRESS compression to hibernation data. Modern hibernation format, used by Windows 8/8.1 and 10, applies XPRESS compression with Huffman encoding to hibernation data.

What are the output files created by Hibernation Recon?

Output Filename Description
ActiveMemory.bin Active memory decompressed & reconstructed
DecompressedSlackLegacy.bin All levels of slack (Legacy format) decompressed & placed in one output file
DecompressedSlackModern.bin All levels of slack (Modern format) decompressed & placed in in one output file
Slack (Legacy format) decompressed & placed in multiple output files by slack level
Slack (Modern format) decompressed & placed in multiple output files by slack level
RawSlackLegacy.bin Raw slack (Legacy format) from all slack levels placed in one output file
RawSlackModern.bin Raw slack (Modern format) from all slack levels placed in one output file
RawSlackChunks/RawSlackChunk_(Decimal Offset)_(Hex_Offset).bin Raw slack placed in multiple output files by chunk
NonZeroAfterValidSlack.bin Non-zero data after all valid levels of slack
AllSlack.bin All levels of slack (Modern & Legacy formats) decompressed, raw, and non-zero in one output file
Indx_I30_Entries.csv Indexed folder content (a/k/a $I30 data) from active and slack space of NTFS INDX records
Indx_ObjIdO_Entries.csv Indexes of linked files (a/k/a $O data) from active and slack space of NTFS INDX records
HibRec.log Hibernation Recon log file

What can I do with the output from Hibernation Recon?

You can load decompressed and reconstructed memory (ActiveMemory.bin) into your memory forensics toolkits and run your other tools against all the output from Hibernation Recon to extract many kinds of artifacts. We will begin adding artifact recovery to the next major version of Hibernation Recon.

Do I need an Internet connection for Hibernation Recon licensing?

You only need an Internet connection for Hibernation Recon when you initially enter your license code and when you renew your license. If you cannot connect to the Internet, see the air-gapped workstation instructions below.

How can I license Hibernation Recon on an air-gapped (a/k/a offline) workstation?

If you want your air-gapped workstation properly licensed for Hibernation Recon, please:

  • Open Hibernation Recon and enter the license code you were given
  • Upon realizing that no Internet connection is available, Hibernation Recon will save a ".LIC" file to your ProgramData\ArsenalRecon folder
  • On a workstation with Internet access, go to our Offline Activation page and upload the ".LIC" file.
  • Finally, copy the CDM file you receive to your ProgramData\ArsenalRecon folder

Your air-gapped workstation is now ready to run Hibernation Recon!

What are some examples of problematic hibernation files?

Hibernation Recon does not currently support the processing of BitLocker, TPM-impacted, or empty (yes, we had to say that!) hibernation files. If you find that Hibernation Recon has not processed your hibernation file, please determine whether BitLocker and/or TPM is in play and whether the file contains any significant volume of non-zero data. If you are still unsure why Hibernation Recon has not processed a particular hibernation file, please contact support and we will assist you.

How can a hibernation file be zeroed out?

Windows hibernation files are essentially zeroed out when the ClearPageFileAtShutdown Registry setting is enabled or after Windows 8/8.1 and 10 resume on SSDs.

What impact does Fast Boot/Fast Startup have on Windows hibernation?

Windows 8/8.1 and Windows 10 normally have “Fast Boot” or “Fast Startup” functionality (hereafter “Fast Boot”) enabled by default. Windows shutdowns on a Fast Boot enabled system will write kernel memory (filesystem drivers, other drivers, Registry data, etc.), all system services that normally run in background, and other user mode processes that do not belong to any specific user session to the hibernation file. Although all user sessions are logged out before this writing to the hibernation file occurs, much more than kernel memory is taken into account. Of course, a “normal” or “complete” hibernation when a user is logged into Windows will result in much more data being written to the hibernation file.

What kinds of advanced NTFS metadata recovery does Hibernation Recon provide?

Hibernation Recon currently supports the extraction and human-friendly decoding of NTFS INDX data. More specifically, we are targeting INDX records containing indexed folder content (a/k/a $I30 data normally found in $I30 metafiles) and indexes of linked files (a/k/a $O data, normally found in $O metafiles, which contains Object IDs or Object Identifiers). Of course, in true Arsenal fashion, we do not only exploit the active space within recovered INDX records but their slack space as well.

How would you describe Object IDs?

NTFS supports the use of “object identifiers” (also known as OBJECT_ID attributes or Object IDs), which improves the ability of the Microsoft Windows operating system to track files in situations that can include renaming and moving (but not copying) those files. Object identifiers can be appended to a file’s $MFT record when a file is moved, created, or first opened. Object identifiers do not “travel” with files to removable storage devices, but object identifiers can be created on removable storage devices when files are first moved to, created on, or first opened there. It should be noted that whether Object IDs are first appended to a file's $MFT record when the file is created or first opened can be dependent upon the application that created or first opened it. You can learn more about how to apply Object IDs in your analysis by reading Harry Parsonage's The Meaning of LIFE document.

Coming Soon

All subscription users are eligible for software updates for the duration of their subscription. Legacy license holders are eligible for updates for the duration of their SMS. We continue to work on more aggressive NTFS metadata recovery, hibernation carving and other features!