Microsoft Windows supports a suspend to disk mode. Whenever the system is sent to sleep, it saves all of the system's state in a file called hiberfil.sys. Nicolas Ruff and Matthieu Suiche developed a library, called Sandman, that allows to read and write the hibernation file. They recently presented their results at PacSec 07.
Hibernation could come in handy in a forensic investigation. You just have to send the computer to sleep in order to preserve the most important parts of its main memory on disk. If hibernation already has been configured, then you don't even run the risk of overwriting other interesting parts of the hard disk e.g. as in case of a forced crash.
The presentation outlines the format of the hibernation file. It also briefly discusses the variations between different OS versions and mentions the compression algorithms involved.
With the help of the Sandman library the hibernation file could be converted into a a raw memory dump and possibly also into a crash dump (because the CPU state is preserved, too). Unfortunately the library is not available to the public yet.
02/26/2008: Sandman has been released to the public.
