...
We have made some changes to the standard data recovery profiles, which provide additional capability through new configuration parameters for recovering data. This allows for more accurate recovery of data in certain scenarios, which are highlighted below. We have also added an option for setting a codepagecode-page, which enhances our multi-language support; this means that these strings can now be converted into a readable form using the same code page that was used by the source system when the data was originally saved to disk.
...
| Section |
|---|
| Column |
|---|
This professional module processes a Windows hibernation (hiberfil.sys) file and converts it into a raw memory dump output file that can then be used for subsequent searching by Blade. A hibernation file contains blocks of data compressed using the Xpress Compression algorithm as documented on MSDN. The converter module decompresses these xpress blocks and writes out the pages of memory they contain, all assembled back into their correct page slots in the output file. The resulting output file is therefore an ordered dump of the pages of memory that were in use when the source computer entered hibernation. The module supports hibernation files from Windows XP, Vista and 7, both 32-bit and 64-bit. It is able to intelligently work out the source operating system from the structure of the hibernation file. If it is an 'active' hibernation file (i.e. the hiberfil.sys file was captured while the source computer was in hibernation) it will still have its file header and information such as the system time when the hiberfil.sys was written is extracted. If the hibernation file is 'inactive' (i.e. the source computer had been successfully restored from hibernation when the file was captured) the file header is zero'd out, but the xpress block data still exists in the file and can be read and converted by the module. To provide traceablilty traceability back to the original data, the module has the option to log exactly how each xpress block in the original hiberfil.sys file has been mapped to the pages in the output file. Depending on how many pages of memory were actually being used when the hibernation file was written, there may still be in the hiberfil.sys a large number of xpress blocks located in the file slack. These xpress blocks will have come from previous hibernations, they are not mapped as being currently in use and therefore cannot be written to the memory dump output file. The module provides the option to search for and decompress these 'slack' xpress blocks. They are written to a separate slack output file and for traceability their mapping is also logged. |
| Column |
|---|
|
|
...