If the hibernation file is 'inactive' (i.e. the hiberfil.sys file was captured while the source computer was in hibernation) it will still have its file header and information such as the system time when the hiberfil.sys was written is extracted. If it is an 'active' hibernation file (i.e. It is able to intelligently work out the source operating system from the structure of the hibernation file. The module supports hibernation files from Windows XP, Vista and 7, both 32-bit and 64-bit. The resulting output file is therefore an ordered dump of the pages of memory that were in use when the source computer entered hibernation. The converter module decompresses these xpress blocks and writes out the pages of memory they contain, all assembled back into their correct page slots in the output file. A hibernation file contains blocks of data compressed using the Xpress Compression algorithm as documented on MSDN. This professional module processes a Windows hibernation (hiberfil.sys) file and converts it into a raw memory dump output file that can then be used for subsequent searching by Blade. We will be making some further enhancements to the recovery profile options with the release of Blade v1.10 which will extend Blade's data recovery abilities. As "Use Length Multiplier" has been activated, Blade will read the length marker at offset 4 and multiply it by 128 thereby identifying the correct record length. The "Data Length Multiplier" is a fixed length of 128 bytes. Figure 3 shows the 'Data Length Marker' at offset 4, which is an unsigned 32bit integer. To establish the length of the record, you would take the length marker and multiply it by 128. Internet Explorer uses a 128 byte block length. At byte offset 4 for each record, there is a record length marker which indicates how many blocks are required for the full record. The examples shown above relate to Internet Explorer URL entries within an INDEX.DAT file. Some examples where this could be very useful is in the recovery of SQLite databases, or individual Microsoft Internet Explorer INDEX.DAT records. This allows us some additional scope for data recovery where a length marker may relate to an object size and not necessarily a marker for the length of the entire object or file. We have added a new field which relates to a multiplier for the data length marker. The third tab relates to the file (or record) length information. For a full list of all the changes in this release, please see: Change Log v1.9. The searching speed has been significantly increased. We have also been working on the data recovery engines to make them more efficient and much faster than before. We have also modified some of the standard recovery profiles to make them more accurate, as well as adding new recovery profiles such as: We have also added an option for setting a code-page, which enhances our multi-language support this means that these strings can now be converted into a readable form using the same code page that was used by the source system when the data was originally saved to disk.įor this release, we have added two new Professional Recovery Modules: This allows for more accurate recovery of data in certain scenarios, which are highlighted below. We have made some changes to the standard data recovery profiles, which provide additional capability through new configuration parameters for recovering data. When Blade is installed on a workstation for the first time (and a valid USB dongle licence is not inserted) the software will function in evaluation mode. This is the first release of Blade to have evaluation capabilities which allow the user to test and evaluate our software for 30 days. This release of Blade ( Change Log v1.9) brings a number of fixes and some great new features. Introduction to the New Features of Blade v1.9
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |