Memory Capture via Hibernation File

If you are having a hard time getting a memory capture using commercial tools, have no fear, Microsoft to the rescue! Starting with Win2K, each version of Windows has supported OS hibernation. When you put a system into hibernation, it creates a hiberfil.sys file on the root of the filesystem (in most cases, C:\). That in itself is a capture of memory. The only problem is that you can’t just right-click and copy the file as it is locked. You could possibly copy by booting into safe mode (I haven’t tried it), slave the hard drive to another system and copy that way, or use some third-party program. The one that I recommend is X-ways WinHex. There is a free version of the software but due to the size of the hibernation file, you will need the licensed version, which costs $222.

Assuming you have the licensed version, below are the steps to copy the hibernation file.

1) Verify there is a hiberfil.sys file on the root of your filesystem (most likely c:\). If the file is not there, ensure hibernation is enabled and then put your system into hibernation. Once powered off, turn it back on and check again.

2) Open WinHex

3) From the toolbar, select Tools and then Open Disk

4) Select the drive in which the hibernation file resides and then click ‘OK’

5) Click ‘Take New One’

6) Locate the Hiberfil.sys file, right-click it and select ‘Recover/Copy’

7) Select a location to copy the file and click ‘Ok’

8) Once complete, you will be prompted with a successful copy message